MFC-ing TCP timer race condition fix
Julien Charbon
jch at freebsd.org
Fri May 15 12:40:14 UTC 2015
Hi,
On 05/05/15 18:15, Julien Charbon wrote:
> I was asked if it is possible to MFC r281599 in FreeBSD 10:
>
> ---
> Fix an old and well-documented use-after-free race condition in
> TCP timers:
> - Add a reference from tcpcb to its inpcb
> - Defer tcpcb deletion until TCP timers have finished
> ---
> https://svnweb.freebsd.org/base?view=revision&revision=281599
>
> First, I thought it was no possible as it touches struct
> tcp_timer/struct tcpcb_mem. Second, John pointed me that these two
> structures are used only internally. The only side effect I was able to
> find is the increase of struct tcpcb_mem size:
>
> - stable/10: struct tcpcb_mem size is 1024 bytes
> - stable/10 + tcp timer change: struct tcpcb_mem size is 1032 bytes
> - currently in head: struct tcpcb_mem size is 1048 bytes
>
> If you have extra concerns on MFC-ing this change please scream.
> Without nice yelps I plan to "MFC after: 1 month" (around May 16th).
Following the lack of screamed concerns, here the MFC-ing result in
stable/10 of the old and well-documented use-after-free TCP timer race
condition fix:
https://svnweb.freebsd.org/base?view=revision&revision=282964
Thanks again John for your inputs about the feasibility of this MFC.
--
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150515/d1c09333/attachment.sig>
More information about the freebsd-net
mailing list