The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51
commit 50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2021-09-18 14:38:39 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2021-09-18 14:38:39 +0000
unix: Fix a use-after-free in unp_drop()
We need to load the socket pointer after locking the PCB, otherwise
the socket may have been detached and freed by the time that unp_drop()
sets so_error.
This previously went unnoticed as the socket zone was _NOFREE.
Reported by: pho
MFC after: 1 week
---
sys/kern/uipc_usrreq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 5add930bfa8e..0ee29143c731 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1971,7 +1971,7 @@ unp_shutdown(struct unpcb *unp)
static void
unp_drop(struct unpcb *unp)
{
- struct socket *so = unp->unp_socket;
+ struct socket *so;
struct unpcb *unp2;
/*
@@ -1981,6 +1981,7 @@ unp_drop(struct unpcb *unp)
*/
UNP_PCB_LOCK(unp);
+ so = unp->unp_socket;
if (so)
so->so_error = ECONNRESET;
if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) {
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"
