svn commit: r336616 - head/sys/netinet

Matt Macy mmacy at FreeBSD.org
Sun Jul 22 20:02:15 UTC 2018


Author: mmacy
Date: Sun Jul 22 20:02:14 2018
New Revision: 336616
URL: https://svnweb.freebsd.org/changeset/base/336616

Log:
  Fix a potential use after free in getsockopt() access to inp_options
  
  Discussed with: jhb
  Reviewed by:	sbruno, transport
  MFC after:	2 weeks
  Sponsored by:	Limelight Networks
  Differential Revision:	https://reviews.freebsd.org/D14621

Modified:
  head/sys/netinet/ip_output.c

Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c	Sun Jul 22 18:31:15 2018	(r336615)
+++ head/sys/netinet/ip_output.c	Sun Jul 22 20:02:14 2018	(r336616)
@@ -1256,13 +1256,23 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 		switch (sopt->sopt_name) {
 		case IP_OPTIONS:
 		case IP_RETOPTS:
-			if (inp->inp_options)
-				error = sooptcopyout(sopt,
-						     mtod(inp->inp_options,
-							  char *),
-						     inp->inp_options->m_len);
-			else
+			INP_RLOCK(inp);
+			if (inp->inp_options) {
+				struct mbuf *options;
+
+				options = m_dup(inp->inp_options, M_NOWAIT);
+				INP_RUNLOCK(inp);
+				if (options != NULL) {
+					error = sooptcopyout(sopt,
+							     mtod(options, char *),
+							     options->m_len);
+					m_freem(options);
+				} else
+					error = ENOMEM;
+			} else {
+				INP_RUNLOCK(inp);
 				sopt->sopt_valsize = 0;
+			}
 			break;
 
 		case IP_TOS:


More information about the svn-src-head mailing list