In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter frees

the inpcb apart from the disconnect. Just call soisdisconnected() and
clear the inp->inp_faddr since the socket is still valid after a disconnect.
Problem found by syzkaller via Greg Steuck
OK visa@
Fixes:
Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com
Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com
Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com
Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index cfa54f2b5fc..a041bb842b7 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip.c,v 1.115 2018/11/10 18:40:34 bluhm Exp $	*/
+/*	$OpenBSD: raw_ip.c,v 1.116 2018/12/03 10:10:49 claudio Exp $	*/
 /*	$NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $	*/
 
 /*
@@ -385,7 +385,9 @@ rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 			error = ENOTCONN;
 			break;
 		}
-		/* FALLTHROUGH */
+		soisdisconnected(so);
+		inp->inp_faddr.s_addr = INADDR_ANY;
+		break;
 	case PRU_ABORT:
 		soisdisconnected(so);
 		if (inp == NULL)