diff options
| author |   bluhm <bluhm@openbsd.org> | 2012-01-03 21:50:12 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2012-01-03 21:50:12 +0000 |
| commit | c8324d5260d2dbab9c23b8c34b78f60d89de499e (patch) | |
| tree | 1ba1491c97bc4ddc77bad78bc6a485581c504eac /sys/netinet/tcp_usrreq.c | |
| parent | Instead of having two functions pf_free_fragment() and pf_remove_fragment() (diff) | |
| download | wireguard-openbsd-c8324d5260d2dbab9c23b8c34b78f60d89de499e.tar.xz wireguard-openbsd-c8324d5260d2dbab9c23b8c34b78f60d89de499e.zip | |
When used with socket splicing, tcp_usrreq() might get called with
a socket that has an inp but tp is NULL. The call stack for that
is tcp_input() tcp_close() soisdisconnected() sorwakeup() somove()
tcp_usrreq(PRU_RCVD). To avoid a NULL dereference, just return in
that case.
ok henning@
Diffstat (limited to 'sys/netinet/tcp_usrreq.c')
| -rw-r--r-- | sys/netinet/tcp_usrreq.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 6f70aaf3184..78320828840 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_usrreq.c,v 1.108 2011/07/06 23:44:20 sthen Exp $ */ +/* $OpenBSD: tcp_usrreq.c,v 1.109 2012/01/03 21:50:12 bluhm Exp $ */ /* $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */ /* @@ -186,7 +186,11 @@ tcp_usrreq(so, req, m, nam, control, p) } if (inp) { tp = intotcpcb(inp); - /* WHAT IF TP IS 0? */ + /* tp might get 0 when using socket splicing */ + if (tp == NULL) { + splx(s); + return (0); + } #ifdef KPROF tcp_acounts[tp->t_state][req]++; #endif |