diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-01-03 21:50:13 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2012-01-03 21:50:13 +0000 |
commit | 8390485057fcecbd0fa623e72550abc20f2293e8 (patch) | |
tree | afe3a60af06a68141255e965c682e14c356b4d0f /sys | |
parent | e39023b406cea442edbed144144f59e7e6e879c3 (diff) |
When used with socket splicing, tcp_usrreq() might get called with
a socket that has an inp but tp is NULL. The call stack for that
is tcp_input() tcp_close() soisdisconnected() sorwakeup() somove()
tcp_usrreq(PRU_RCVD). To avoid a NULL dereference, just return in
that case.
ok henning@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/tcp_usrreq.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 6f70aaf3184..78320828840 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_usrreq.c,v 1.108 2011/07/06 23:44:20 sthen Exp $ */ +/* $OpenBSD: tcp_usrreq.c,v 1.109 2012/01/03 21:50:12 bluhm Exp $ */ /* $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */ /* @@ -186,7 +186,11 @@ tcp_usrreq(so, req, m, nam, control, p) } if (inp) { tp = intotcpcb(inp); - /* WHAT IF TP IS 0? */ + /* tp might get 0 when using socket splicing */ + if (tp == NULL) { + splx(s); + return (0); + } #ifdef KPROF tcp_acounts[tp->t_state][req]++; #endif |