Oups mistake, the LOCK() should be on line 3041, same problem just above on line 3021, UNLOCK() instead of LOCK().
-clem1 Le 14 janvier 2012 05:03, Clément Lecigne <cle...@gmail.com> a écrit : > Hi, > > In sctp_ussreq.c, lines are based from HEAD: > > 3041 SCTP_INP_RUNLOCK(inp); > 3042 onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO); > 3043 SCTP_INP_RUNLOCK(inp); > > The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo? > That results in an easily user triggerable kernel panic through > getsockopt(). I don't think user can do something evil with this > double unlock which result in a kernel panic due to a NULL dereference > in mtx_unlock() on my fresh FreeBSD 9.0. > > Bests, > -clem1 -- -clem1 _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
