svn commit: r336616 - head/sys/netinet
Matt Macy
mmacy at FreeBSD.org
Sun Jul 22 20:02:15 UTC 2018
Author: mmacy
Date: Sun Jul 22 20:02:14 2018
New Revision: 336616
URL: https://svnweb.freebsd.org/changeset/base/336616
Log:
Fix a potential use after free in getsockopt() access to inp_options
Discussed with: jhb
Reviewed by: sbruno, transport
MFC after: 2 weeks
Sponsored by: Limelight Networks
Differential Revision: https://reviews.freebsd.org/D14621
Modified:
head/sys/netinet/ip_output.c
Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c Sun Jul 22 18:31:15 2018 (r336615)
+++ head/sys/netinet/ip_output.c Sun Jul 22 20:02:14 2018 (r336616)
@@ -1256,13 +1256,23 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
switch (sopt->sopt_name) {
case IP_OPTIONS:
case IP_RETOPTS:
- if (inp->inp_options)
- error = sooptcopyout(sopt,
- mtod(inp->inp_options,
- char *),
- inp->inp_options->m_len);
- else
+ INP_RLOCK(inp);
+ if (inp->inp_options) {
+ struct mbuf *options;
+
+ options = m_dup(inp->inp_options, M_NOWAIT);
+ INP_RUNLOCK(inp);
+ if (options != NULL) {
+ error = sooptcopyout(sopt,
+ mtod(options, char *),
+ options->m_len);
+ m_freem(options);
+ } else
+ error = ENOMEM;
+ } else {
+ INP_RUNLOCK(inp);
sopt->sopt_valsize = 0;
+ }
break;
case IP_TOS:
More information about the svn-src-all
mailing list