From owner-cvs-all@FreeBSD.ORG  Tue Oct 24 13:23:04 2006
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D388B16A40F;
	Tue, 24 Oct 2006 13:23:04 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A62A043D49;
	Tue, 24 Oct 2006 13:23:04 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9ODN4E1070478;
	Tue, 24 Oct 2006 13:23:04 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from rwatson@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9ODN4O1070476;
	Tue, 24 Oct 2006 13:23:04 GMT (envelope-from rwatson)
Message-Id: <200610241323.k9ODN4O1070476@repoman.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Tue, 24 Oct 2006 13:23:04 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: RELENG_6
Cc: 
Subject: cvs commit: src/sys/netinet ip_output.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2006 13:23:04 -0000

rwatson     2006-10-24 13:23:03 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_6)
    sys/netinet          ip_output.c 
  Log:
  Reduce the size of a number of race windows in the TCP socket options
  processing code: a RST may arrive during a socket option call, causing
  the PCB to be freed, leading to an invalid pointer dereference.  When
  the kernel blocks in a socket option copyin or memory allocation (such
  as during heavy paging), the race window is greatly widened.  This
  change re-validates the PCB pointer after returning from the copy/alloc
  operation.  This does not eliminate the problem, but does narrow the
  window significantly (to the point where it may not be observed at all).
  
  The proper fix is in 7.x, which significantly re-works the socket and
  PCB code so that PCB's are not ripped out from under sockets on reset.
  However, those changes are not appropriate for an MFC during a release
  cycle.  As a result, this is not an MFC, but new code crafted for 6.x.
  
  PR:                     kern/102412
  Reported by:            Daniel Austin <daniel at kewlio dot net>
  Tested by:              Diane Bruce <db at db dot net>
  Reviewed by:            Diane Bruce <db at db dot net>
  Approved by:            re (kensmith)
  
  Revision    Changes    Path
  1.242.2.16  +18 -0     src/sys/netinet/ip_output.c