Diffusion FreeBSD src repository - subversion rS163655

Reduce the size of a number of race windows in the TCP socket options
rS163655Unpublished
Actions

Unpublished Commit · Learn More

No further details are available.

Description

Reduce the size of a number of race windows in the TCP socket options
processing code: a RST may arrive during a socket option call, causing
the PCB to be freed, leading to an invalid pointer dereference. When
the kernel blocks in a socket option copyin or memory allocation (such
as during heavy paging), the race window is greatly widened. This
change re-validates the PCB pointer after returning from the copy/alloc
operation. This does not eliminate the problem, but does narrow the
window significantly (to the point where it may not be observed at all).

The proper fix is in 7.x, which significantly re-works the socket and
PCB code so that PCB's are not ripped out from under sockets on reset.
However, those changes are not appropriate for an MFC during a release
cycle. As a result, this is not an MFC, but new code crafted for 6.x.

PR: kern/102412
Reported by: Daniel Austin <daniel at kewlio dot net>
Tested by: Diane Bruce <db at db dot net>
Reviewed by: Diane Bruce <db at db dot net>
Approved by: re (kensmith)

Details

Provenance

rwatson

Authored on

Parents

rS163654: Document NO_IGNORE and its interation with FORBIDDEN.

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (1)

Path

Size

stable/

sys/

netinet/

ip_output.c

rS163655

View Options

stable/6/sys/netinet/ip_output.c

Reduce the size of a number of race windows in the TCP socket optionsrS163655UnpublishedActions