Page MenuHomeFreeBSD

in_pcb: don't leak credential refcounts on error
ClosedPublic

Authored by rscheff on Apr 30 2024, 9:47 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 18 2024, 9:37 AM
Unknown Object (File)
Sep 18 2024, 11:40 PM
Unknown Object (File)
Sep 14 2024, 4:52 AM
Unknown Object (File)
Sep 13 2024, 11:10 AM
Unknown Object (File)
Sep 8 2024, 1:52 PM
Unknown Object (File)
May 4 2024, 6:29 PM
Unknown Object (File)
May 2 2024, 6:48 PM
Unknown Object (File)
May 2 2024, 1:35 PM
Subscribers

Details

Summary

In the error path during allocating an in_pcb, the credentials
associated with the new struct get their reference count
increased early on, but not decremented when the allocation
fails.

Reported-by: cmiller_netapp.com
MFC after: 3 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 57503
Build 54391: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.Apr 30 2024, 9:59 PM

Good catch, thanks! Must also be merged to stable/14.

sys/netinet/in_pcb.c
659

Do we need this NULL-ification?

sys/netinet/in_pcb.c
659

It's done in in_pcbrele_[w/r]locked with #ifdef INVARIANTS also; likely to catch any use-after-free issues. Could bracket that into these #ifdefs too...

tuexen added inline comments.
sys/netinet/in_pcb.c
659

But we are freeing the inp anyway and it should be no way to reference the inp. So I think we don't need setting inp->inp_cred to NULL. But I leave it up to you.

  • bracket setting inp_cred to NULL with #ifdef invariants
This revision now requires review to proceed.May 1 2024, 8:10 PM
This revision is now accepted and ready to land.May 2 2024, 5:33 AM