svn commit: r344516 - stable/12/sys/netinet

Mon Feb 25 12:35:53 UTC 2019

Author: tuexen
Date: Mon Feb 25 12:35:52 2019
New Revision: 344516
URL: https://svnweb.freebsd.org/changeset/base/344516

Log:
  MFC r344428:
  
  This patch addresses an issue brought up by bz@ in D18968:
  When TCP_REASS_LOGGING is defined, a NULL pointer dereference would happen,
  if user data was received during the TCP handshake and BB logging is used.
  
  A KASSERT is also added to detect tcp_reass() calls with illegal parameter
  combinations.
  
  Reported by:		bz@
  Reviewed by:		rrs@
  Sponsored by:		Netflix, Inc.
  Differential Revision:	https://reviews.freebsd.org/D19254

Modified:
  stable/12/sys/netinet/tcp_reass.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netinet/tcp_reass.c
==============================================================================

--- stable/12/sys/netinet/tcp_reass.c	Mon Feb 25 12:33:11 2019	(r344515)
+++ stable/12/sys/netinet/tcp_reass.c	Mon Feb 25 12:35:52 2019	(r344516)
@@ -542,6 +542,10 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq
 	 * and should be rewritten (see NetBSD for optimizations).
 	 */
 
+	KASSERT(th == NULL || (seq_start != NULL && tlenp != NULL),
+	        ("tcp_reass called with illegal parameter combination "
+	         "(tp=%p, th=%p, seq_start=%p, tlenp=%p, m=%p)",
+	         tp, th, seq_start, tlenp, m));
 	/*
 	 * Call with th==NULL after become established to
 	 * force pre-ESTABLISHED data up to user socket.
@@ -1062,12 +1066,20 @@ present:
 		} else {
 #ifdef TCP_REASS_LOGGING
 			tcp_reass_log_new_in(tp, q->tqe_start, q->tqe_len, q->tqe_m, TCP_R_LOG_READ, q);
-			tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1);
+			if (th != NULL) {
+				tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1);
+			} else {
+				tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 1);
+			}
 #endif
 			sbappendstream_locked(&so->so_rcv, q->tqe_m, 0);
 		}
 #ifdef TCP_REASS_LOGGING
-		tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2);
+		if (th != NULL) {
+			tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2);
+		} else {
+			tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 2);
+		}
 #endif
 		KASSERT(tp->t_segqmbuflen >= q->tqe_mbuf_cnt,
 			("tp:%p seg queue goes negative", tp));
@@ -1083,7 +1095,11 @@ present:
 		      tp, &tp->t_segq, tp->t_segqmbuflen);
 #else
 #ifdef TCP_REASS_LOGGING
-		tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0);
+		if (th != NULL) {
+			tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0);
+		} else {
+			tcp_log_reassm(tp, NULL, NULL, 0, 0, TCP_R_LOG_ZERO, 0);
+		}
 #endif
 		tp->t_segqmbuflen = 0;
 #endif
