Double SCTP_INP_RUNLOCK() in SCTP result in KP

Clément Lecigne clemun at gmail.com
Sat Jan 14 04:03:02 UTC 2012


Hi,

In sctp_ussreq.c, lines are based from HEAD:

3041 	SCTP_INP_RUNLOCK(inp);
3042 	onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO);
3043 	SCTP_INP_RUNLOCK(inp);

The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo?
That results in an easily user triggerable kernel panic through
getsockopt(). I don't think user can do something evil with this
double unlock which result in a kernel panic due to a NULL dereference
in mtx_unlock() on my fresh FreeBSD 9.0.

Bests,
-clem1


More information about the freebsd-security mailing list