git: eec9084656bc - main - rack: Reload the TCP stack PCB after reacquiring the inpcb lock
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Jun 2026 17:19:11 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=eec9084656bcd7dd52f8f564c96dc6aced5be554
commit eec9084656bcd7dd52f8f564c96dc6aced5be554
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-06-23 21:46:17 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-30 17:00:23 +0000
rack: Reload the TCP stack PCB after reacquiring the inpcb lock
Malicious userspace might switch TCP stacks twice while the inpcb lock
is dropped. If it does so, the validation of tp->t_fb might succeed,
but the saved pointer to the stack PCB might be invalid. Reload it to
avoid this problem, as BBR already does.
Approved by: so
Security: FreeBSD-SA-26:43.tcp
Security: CVE-2026-49422
Reported by: Maik Münch
Reviewed by: tuexen
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57791
---
sys/netinet/tcp_stacks/rack.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index c37003698f0a..3a6a374318ca 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -24211,6 +24211,7 @@ process_opt:
INP_WUNLOCK(inp);
return (ENOPROTOOPT);
}
+ rack = (struct tcp_rack *)tp->t_fb_ptr;
if (rack->defer_options && (rack->gp_ready == 0) &&
(sopt->sopt_name != TCP_DEFER_OPTIONS) &&
(sopt->sopt_name != TCP_HYBRID_PACING) &&