git: cdd0ab2374a0 - stable/13 - tcp: improve MAC error handling for SYN segments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 31 Oct 2024 16:49:53 UTC
The branch stable/13 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=cdd0ab2374a033dadefefab94977aaa38a4af57f
commit cdd0ab2374a033dadefefab94977aaa38a4af57f
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-26 06:10:01 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-10-31 16:49:27 +0000
tcp: improve MAC error handling for SYN segments
Don't leak a maclabel when SYN segments are processed which results
in an error due to MD5 signature handling.
Tweak the #idef MAC to allow additional upcoming changes.
Reviewed by: markj
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46766
(cherry picked from commit 78e1b031d2e8ef0e1cbc8874891f5476dc7868bc)
---
sys/netinet/tcp_syncache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 111f591c5851..d4e21edc1713 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1408,7 +1408,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
int autoflowlabel = 0;
#endif
#ifdef MAC
- struct label *maclabel;
+ struct label *maclabel = NULL;
#endif
struct syncache scs;
struct ucred *cred;
@@ -1806,10 +1806,11 @@ donenoprobe:
tfo_expanded:
if (cred != NULL)
crfree(cred);
+ if (sc == NULL || sc == &scs) {
#ifdef MAC
- if (sc == &scs)
mac_syncache_destroy(&maclabel);
#endif
+ }
return (rv);
}