Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netinet6 Fix the order in udp6_attach: soreserve should ...



details:   https://anonhg.NetBSD.org/src/rev/c3faa955e46e
branches:  trunk
changeset: 997174:c3faa955e46e
user:      maxv <maxv%NetBSD.org@localhost>
date:      Mon Feb 25 07:31:32 2019 +0000

description:
Fix the order in udp6_attach: soreserve should be called before
in6_pcballoc, otherwise if it fails there is still a PCB attached, and
we hit a KASSERT in socreate. In !DIAGNOSTIC this would have caused a
memory leak.

By the way I find the splsoftnet highly suspicious, in6_pcballoc already
does that.

Triggered by SyzKaller.

Reported-by: syzbot+7bace612ca3cc3e124f8%syzkaller.appspotmail.com@localhost

diffstat:

 sys/netinet6/udp6_usrreq.c |  14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)

diffs (42 lines):

diff -r c16ba21dabd2 -r c3faa955e46e sys/netinet6/udp6_usrreq.c
--- a/sys/netinet6/udp6_usrreq.c        Mon Feb 25 06:59:37 2019 +0000
+++ b/sys/netinet6/udp6_usrreq.c        Mon Feb 25 07:31:32 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $ */
+/* $NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $ */
 /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */
 /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
 
@@ -63,7 +63,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.146 2019/01/28 12:53:01 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.147 2019/02/25 07:31:32 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1045,6 +1045,11 @@
        KASSERT(sotoin6pcb(so) == NULL);
        sosetlock(so);
 
+       error = soreserve(so, udp6_sendspace, udp6_recvspace);
+       if (error) {
+               return error;
+       }
+
        /*
         * MAPPED_ADDR implementation spec:
         *  Always attach for IPv6, and only when necessary for IPv4.
@@ -1055,10 +1060,7 @@
        if (error) {
                return error;
        }
-       error = soreserve(so, udp6_sendspace, udp6_recvspace);
-       if (error) {
-               return error;
-       }
+
        in6p = sotoin6pcb(so);
        in6p->in6p_cksum = -1;  /* just to be sure */
 



Home | Main Index | Thread Index | Old Index