git: 2f5ac48d9b6d - stable/14 - tcp: improve MAC error handling for SYN segments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 31 Oct 2024 13:55:26 UTC
The branch stable/14 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=2f5ac48d9b6d7bd8928604f8259c48ad4246e7ae
commit 2f5ac48d9b6d7bd8928604f8259c48ad4246e7ae
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-09-26 06:10:01 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-10-31 11:33:35 +0000
tcp: improve MAC error handling for SYN segments
Don't leak a maclabel when SYN segments are processed which results
in an error due to MD5 signature handling.
Tweak the #idef MAC to allow additional upcoming changes.
Reviewed by: markj
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46766
(cherry picked from commit 78e1b031d2e8ef0e1cbc8874891f5476dc7868bc)
---
sys/netinet/tcp_syncache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index b6318ec23556..fa64d2d79c3b 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1382,7 +1382,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
int autoflowlabel = 0;
#endif
#ifdef MAC
- struct label *maclabel;
+ struct label *maclabel = NULL;
#endif
struct syncache scs;
struct ucred *cred;
@@ -1773,10 +1773,11 @@ donenoprobe:
tfo_expanded:
if (cred != NULL)
crfree(cred);
+ if (sc == NULL || sc == &scs) {
#ifdef MAC
- if (sc == &scs)
mac_syncache_destroy(&maclabel);
#endif
+ }
return (rv);
}