diff options
| author | anton <anton@cvs.openbsd.org> | 2021-03-09 20:05:15 +0000 |
|---|---|---|
| committer | anton <anton@cvs.openbsd.org> | 2021-03-09 20:05:15 +0000 |
| commit | 0bf7607683013611d8cd3304124f217e70b7ae42 (patch) | |
| tree | 4d8d42ece67636e2c16b4005e9a60adab16183b4 | |
| parent | be0f2d5e7baa6afb3e93a45b1309e0cdf1477607 (diff) | |
Issuing FIOSETOWN and TIOCSPGRP ioctl commands on a tun(4) device leaks
device references causing a hang while trying to remove the same
interface since the reference count will never reach zero. Instead of
returning, break out of the switch in order to ensure that tun_put()
gets called.
ok deraadt@ mvs@
Reported-by: syzbot+2ca11c73711a1d0b5c6c@syzkaller.appspotmail.com
| -rw-r--r-- | sys/net/if_tun.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c index bb5e27116bc..46a0a2d4735 100644 --- a/sys/net/if_tun.c +++ b/sys/net/if_tun.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_tun.c,v 1.230 2021/02/20 04:39:16 dlg Exp $ */ +/* $OpenBSD: if_tun.c,v 1.231 2021/03/09 20:05:14 anton Exp $ */ /* $NetBSD: if_tun.c,v 1.24 1996/05/07 02:40:48 thorpej Exp $ */ /* @@ -716,7 +716,8 @@ tun_dev_ioctl(dev_t dev, u_long cmd, void *data) break; case FIOSETOWN: case TIOCSPGRP: - return (sigio_setown(&sc->sc_sigio, cmd, data)); + error = sigio_setown(&sc->sc_sigio, cmd, data); + break; case FIOGETOWN: case TIOCGPGRP: sigio_getown(&sc->sc_sigio, cmd, data); |