git: 4a0c6403b0ec - main - inpcb: poison several inpcb pointer in in_pcbfree()

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Wed, 27 Dec 2023 16:35:43 UTC
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1

commit 4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-12-27 16:34:37 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2023-12-27 16:34:37 +0000

    inpcb: poison several inpcb pointer in in_pcbfree()
    
    There are few subsystems that reference inpcb and allow it to outlive
    in_pcbfree().  There are no known bugs with them to unreference the
    options pointers for a freed inpcb.  Enforce this so that such bugs
    don't appear in the future.
    
    Reviewed by:            markj
    Differential Revision:  https://reviews.freebsd.org/D43134
---
 sys/netinet/in_pcb.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 63b4fc57230e..fa0d7309058e 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1749,12 +1749,16 @@ in_pcbfree(struct inpcb *inp)
 #ifdef INET
 	if (inp->inp_options)
 		(void)m_free(inp->inp_options);
+	DEBUG_POISON_POINTER(inp->inp_options);
 	imo = inp->inp_moptions;
+	DEBUG_POISON_POINTER(inp->inp_moptions);
 #endif
 #ifdef INET6
 	if (inp->inp_vflag & INP_IPV6PROTO) {
 		ip6_freepcbopts(inp->in6p_outputopts);
+		DEBUG_POISON_POINTER(inp->in6p_outputopts);
 		im6o = inp->in6p_moptions;
+		DEBUG_POISON_POINTER(inp->in6p_moptions);
 	} else
 		im6o = NULL;
 #endif