git: 4a0c6403b0ec - main - inpcb: poison several inpcb pointer in in_pcbfree()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 27 Dec 2023 16:35:43 UTC
The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1 commit 4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2023-12-27 16:34:37 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2023-12-27 16:34:37 +0000 inpcb: poison several inpcb pointer in in_pcbfree() There are few subsystems that reference inpcb and allow it to outlive in_pcbfree(). There are no known bugs with them to unreference the options pointers for a freed inpcb. Enforce this so that such bugs don't appear in the future. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D43134 --- sys/netinet/in_pcb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 63b4fc57230e..fa0d7309058e 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1749,12 +1749,16 @@ in_pcbfree(struct inpcb *inp) #ifdef INET if (inp->inp_options) (void)m_free(inp->inp_options); + DEBUG_POISON_POINTER(inp->inp_options); imo = inp->inp_moptions; + DEBUG_POISON_POINTER(inp->inp_moptions); #endif #ifdef INET6 if (inp->inp_vflag & INP_IPV6PROTO) { ip6_freepcbopts(inp->in6p_outputopts); + DEBUG_POISON_POINTER(inp->in6p_outputopts); im6o = inp->in6p_moptions; + DEBUG_POISON_POINTER(inp->in6p_moptions); } else im6o = NULL; #endif