git: 78e1b031d2e8 - main - tcp: improve MAC error handling for SYN segments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Sep 2024 06:12:11 UTC
The branch main has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=78e1b031d2e8ef0e1cbc8874891f5476dc7868bc
commit 78e1b031d2e8ef0e1cbc8874891f5476dc7868bc
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-26 06:10:01 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-09-26 06:10:01 +0000
tcp: improve MAC error handling for SYN segments
Don't leak a maclabel when SYN segments are processed which results
in an error due to MD5 signature handling.
Tweak the #idef MAC to allow additional upcoming changes.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46766
---
sys/netinet/tcp_syncache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 80bf12474c1c..ed131421207d 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1372,7 +1372,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
int autoflowlabel = 0;
#endif
#ifdef MAC
- struct label *maclabel;
+ struct label *maclabel = NULL;
#endif
struct syncache scs;
struct ucred *cred;
@@ -1763,10 +1763,11 @@ donenoprobe:
tfo_expanded:
if (cred != NULL)
crfree(cred);
+ if (sc == NULL || sc == &scs) {
#ifdef MAC
- if (sc == &scs)
mac_syncache_destroy(&maclabel);
#endif
+ }
return (rv);
}