Handle cred, ipopts, and maclabel using the same pattern: allocate at the beginning and set to NULL when the object is transferred to a struct syncache. When exiting the function, free the objects if not transferred or when transferred to the on-stack struct syncache. This makes use of a new function syncache_release().
This fixes a use after free problem, which was reported by Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai.
ipopts should only be freed, if the on-stack struct syncache is used and the pointer in this structure still points to the allocated ipopts. If these ipopts are moved from the struct syncache to the struct inpcb in syncache_socket(), which is called by syncache_tfo_expand(), the pointer in the struct syncache is set to NULL.
In a FreeBSD default setup this problem is mitigated by
- TCP fast open support on the server side not being enabled (the sysctl-variable net.inet.tcp.fastopen.server_enable is 0).
- Incoming IP packet with source routing options are not being processed by the host stack (the sysctl-variable net.inet.ip.accept_sourceroute is 0).
Only if these two sysctl-variables are changed, a FreeBSD system is affected, if a server actually using TCP fast open is running.
This patch is an alternative to D57104 and would be MFCed to stable/14 and stable/15.