In one core dump the pointers to socket, inpcb, tcpcb on the stack

of tcp_input() and tcp_output() were very inconsistent.  Especially
the so->so_pcb is NULL which can only happen after the inp has been
detached.  The whole issue looks similar to the old panic:
pool_do_get(inpcbpl): free list modified.
http://marc.info/?l=openbsd-bugs&m=132630237316970&w=2

To get more information, add some asserts that guarantee the
consistency of the socket, inpcb, tcpcb linking.  They should trigger
when an inp is taken from the pcb hashes after it has been freed.
OK henning@

2 files changed, 5 insertions, 2 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 5dd996f336d..978e9474fcf 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.267 2013/08/13 09:52:53 mpi Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.268 2013/09/06 18:35:16 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -641,6 +641,8 @@ findpcb:
 			goto dropwithreset_ratelim;
 		}
 	}
+	KASSERT(sotoinpcb(inp->inp_socket) == inp);
+	KASSERT(intotcpcb(inp)->t_inpcb == inp);
 
 	/* Check the minimum TTL for socket. */
 	if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 89bd8b8be3c..634f3f4c82a 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.165 2013/07/31 15:41:52 mikeb Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.166 2013/09/06 18:35:16 bluhm Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -592,6 +592,7 @@ udp_input(struct mbuf *m, ...)
 			return;
 		}
 	}
+	KASSERT(sotoinpcb(inp->inp_socket) == inp);
 
 #if NPF > 0
 	/* The statekey has finished finding the inp, it is no longer needed. */