summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormvs <mvs@cvs.openbsd.org>2021-05-16 13:09:40 +0000
committermvs <mvs@cvs.openbsd.org>2021-05-16 13:09:40 +0000
commit6e9b6d11f44751130492d934121c975470d23fc7 (patch)
tree72ac004ba9ec6652f2012111d81b3da260c522ff
parenta85d436e698576aa23de7089d798c5b9b397b215 (diff)
In route detach we delete `rop_timeout' while `rop' is still linked to
`rtp_list' so it could be re-added by concurrent thread. Also timeout_del(9) doesn't wait timeout proc to be finished and timeout_del_barrier(9) should be used for that. So use timeout_del_barrier(9) instead of timeout_del(9) and moved it just after refcnt_finalize(9). This fixes potential use-after-free issue in route_detach(). ok mpi@
-rw-r--r--sys/net/rtsock.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3f8985d6d27..3a1cf04f8ac 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rtsock.c,v 1.312 2021/05/01 16:13:13 mvs Exp $ */
+/* $OpenBSD: rtsock.c,v 1.313 2021/05/16 13:09:39 mvs Exp $ */
/* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */
/*
@@ -346,9 +346,7 @@ route_detach(struct socket *so)
rw_enter(&rtptable.rtp_lk, RW_WRITE);
- timeout_del(&rop->rop_timeout);
rtptable.rtp_count--;
-
SRPL_REMOVE_LOCKED(&rtptable.rtp_rc, &rtptable.rtp_list, rop, rtpcb,
rop_list);
rw_exit(&rtptable.rtp_lk);
@@ -357,6 +355,7 @@ route_detach(struct socket *so)
/* wait for all references to drop */
refcnt_finalize(&rop->rop_refcnt, "rtsockrefs");
+ timeout_del_barrier(&rop->rop_timeout);
solock(so);