diff options
author | mvs <mvs@cvs.openbsd.org> | 2021-05-16 13:09:40 +0000 |
---|---|---|
committer | mvs <mvs@cvs.openbsd.org> | 2021-05-16 13:09:40 +0000 |
commit | 6e9b6d11f44751130492d934121c975470d23fc7 (patch) | |
tree | 72ac004ba9ec6652f2012111d81b3da260c522ff | |
parent | a85d436e698576aa23de7089d798c5b9b397b215 (diff) |
In route detach we delete `rop_timeout' while `rop' is still linked to
`rtp_list' so it could be re-added by concurrent thread. Also
timeout_del(9) doesn't wait timeout proc to be finished and
timeout_del_barrier(9) should be used for that.
So use timeout_del_barrier(9) instead of timeout_del(9) and moved it
just after refcnt_finalize(9). This fixes potential use-after-free
issue in route_detach().
ok mpi@
-rw-r--r-- | sys/net/rtsock.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 3f8985d6d27..3a1cf04f8ac 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.312 2021/05/01 16:13:13 mvs Exp $ */ +/* $OpenBSD: rtsock.c,v 1.313 2021/05/16 13:09:39 mvs Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -346,9 +346,7 @@ route_detach(struct socket *so) rw_enter(&rtptable.rtp_lk, RW_WRITE); - timeout_del(&rop->rop_timeout); rtptable.rtp_count--; - SRPL_REMOVE_LOCKED(&rtptable.rtp_rc, &rtptable.rtp_list, rop, rtpcb, rop_list); rw_exit(&rtptable.rtp_lk); @@ -357,6 +355,7 @@ route_detach(struct socket *so) /* wait for all references to drop */ refcnt_finalize(&rop->rop_refcnt, "rtsockrefs"); + timeout_del_barrier(&rop->rop_timeout); solock(so); |