in_pcb: don't leak credential refcounts on error
ClosedPublic
Actions

Authored by rscheff on Apr 30 2024, 9:47 PM.

Details

Reviewers

glebius
cmiller_netapp.com
jhb
tuexen

Commits

rGb7e312c5abad: in_pcb: don't leak credential refcounts on error
rG30cf0fbf2624: in_pcb: don't leak credential refcounts on error

Summary

In the error path during allocating an in_pcb, the credentials
associated with the new struct get their reference count
increased early on, but not decremented when the allocation
fails.

Reported-by: cmiller_netapp.com
MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

rscheff created this revision.Apr 30 2024, 9:47 PM

Herald added subscribers: melifaro, imp. · View Herald TranscriptApr 30 2024, 9:47 PM

rscheff requested review of this revision.Apr 30 2024, 9:47 PM

Harbormaster completed remote builds in B57476: Diff 137915.Apr 30 2024, 9:47 PM

jhb accepted this revision.Apr 30 2024, 9:59 PM

This revision is now accepted and ready to land.Apr 30 2024, 9:59 PM

Good catch, thanks! Must also be merged to stable/14.

sys/netinet/in_pcb.c
659	Do we need this NULL-ification?

rscheff added inline comments.May 1 2024, 5:51 PM

sys/netinet/in_pcb.c
659	It's done in in_pcbrele_[w/r]locked with #ifdef INVARIANTS also; likely to catch any use-after-free issues. Could bracket that into these #ifdefs too...

rscheff edited the summary of this revision. (Show Details)May 1 2024, 5:58 PM

tuexen accepted this revision.May 1 2024, 7:13 PM

tuexen added inline comments.

sys/netinet/in_pcb.c
659	But we are freeing the inp anyway and it should be no way to reference the inp. So I think we don't need setting `inp->inp_cred` to `NULL`. But I leave it up to you.