Double SCTP_INP_RUNLOCK() in SCTP result in KP
Clément Lecigne
clemun at gmail.com
Sat Jan 14 04:03:02 UTC 2012
Hi,
In sctp_ussreq.c, lines are based from HEAD:
3041 SCTP_INP_RUNLOCK(inp);
3042 onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO);
3043 SCTP_INP_RUNLOCK(inp);
The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo?
That results in an easily user triggerable kernel panic through
getsockopt(). I don't think user can do something evil with this
double unlock which result in a kernel panic due to a NULL dereference
in mtx_unlock() on my fresh FreeBSD 9.0.
Bests,
-clem1
More information about the freebsd-security
mailing list