Date: Thu, 21 Feb 2019 09:34:47 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344428 - head/sys/netinet Message-ID: <201902210934.x1L9Ylos001869@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu Feb 21 09:34:47 2019 New Revision: 344428 URL: https://svnweb.freebsd.org/changeset/base/344428 Log: This patch addresses an issue brought up by bz@ in D18968: When TCP_REASS_LOGGING is defined, a NULL pointer dereference would happen, if user data was received during the TCP handshake and BB logging is used. A KASSERT is also added to detect tcp_reass() calls with illegal parameter combinations. Reported by: bz@ Reviewed by: rrs@ MFC after: 3 days Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19254 Modified: head/sys/netinet/tcp_reass.c Modified: head/sys/netinet/tcp_reass.c ============================================================================== --- head/sys/netinet/tcp_reass.c Thu Feb 21 08:37:39 2019 (r344427) +++ head/sys/netinet/tcp_reass.c Thu Feb 21 09:34:47 2019 (r344428) @@ -542,6 +542,10 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq * and should be rewritten (see NetBSD for optimizations). */ + KASSERT(th == NULL || (seq_start != NULL && tlenp != NULL), + ("tcp_reass called with illegal parameter combination " + "(tp=%p, th=%p, seq_start=%p, tlenp=%p, m=%p)", + tp, th, seq_start, tlenp, m)); /* * Call with th==NULL after become established to * force pre-ESTABLISHED data up to user socket. @@ -1062,12 +1066,20 @@ present: } else { #ifdef TCP_REASS_LOGGING tcp_reass_log_new_in(tp, q->tqe_start, q->tqe_len, q->tqe_m, TCP_R_LOG_READ, q); - tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1); + if (th != NULL) { + tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1); + } else { + tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 1); + } #endif sbappendstream_locked(&so->so_rcv, q->tqe_m, 0); } #ifdef TCP_REASS_LOGGING - tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2); + if (th != NULL) { + tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2); + } else { + tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 2); + } #endif KASSERT(tp->t_segqmbuflen >= q->tqe_mbuf_cnt, ("tp:%p seg queue goes negative", tp)); @@ -1083,7 +1095,11 @@ present: tp, &tp->t_segq, tp->t_segqmbuflen); #else #ifdef TCP_REASS_LOGGING - tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0); + if (th != NULL) { + tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0); + } else { + tcp_log_reassm(tp, NULL, NULL, 0, 0, TCP_R_LOG_ZERO, 0); + } #endif tp->t_segqmbuflen = 0; #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902210934.x1L9Ylos001869>