git: 4a0c6403b0ec - main - inpcb: poison several inpcb pointer in in_pcbfree()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 27 Dec 2023 16:35:43 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1
commit 4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-12-27 16:34:37 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2023-12-27 16:34:37 +0000
inpcb: poison several inpcb pointer in in_pcbfree()
There are few subsystems that reference inpcb and allow it to outlive
in_pcbfree(). There are no known bugs with them to unreference the
options pointers for a freed inpcb. Enforce this so that such bugs
don't appear in the future.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D43134
---
sys/netinet/in_pcb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 63b4fc57230e..fa0d7309058e 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1749,12 +1749,16 @@ in_pcbfree(struct inpcb *inp)
#ifdef INET
if (inp->inp_options)
(void)m_free(inp->inp_options);
+ DEBUG_POISON_POINTER(inp->inp_options);
imo = inp->inp_moptions;
+ DEBUG_POISON_POINTER(inp->inp_moptions);
#endif
#ifdef INET6
if (inp->inp_vflag & INP_IPV6PROTO) {
ip6_freepcbopts(inp->in6p_outputopts);
+ DEBUG_POISON_POINTER(inp->in6p_outputopts);
im6o = inp->in6p_moptions;
+ DEBUG_POISON_POINTER(inp->in6p_moptions);
} else
im6o = NULL;
#endif