>I think this can still crash (just like my patch); the problem is in >what happens when it fails to allocate memory. Unless you set one of >the flags, it's still going to panic in the same place, I think, when >you run out of memory.
No. The flags are only checked when so_head is not NULL. sonewconn() was handing sofree() an inconsistent struct so (so_head was set without being on either queue), i.e. sonewconn() was creating an invalid data structure. The call in sonewconn() used to be to sodealloc(), which didn't care about whether or not the data structure was self-consistent. The code was refactored to do reference counting, but the fact that the socket was inconsistent at that point wasn't noticed until now. The problem is not at all based on what happens in the allocation or protocol attach failure cases. The SYN cache is not involved, this is a bug in sonewconn(), plain and simple. Bill To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
