From 6e9b6d11f44751130492d934121c975470d23fc7 Mon Sep 17 00:00:00 2001 From: mvs Date: Sun, 16 May 2021 13:09:40 +0000 Subject: In route detach we delete `rop_timeout' while `rop' is still linked to `rtp_list' so it could be re-added by concurrent thread. Also timeout_del(9) doesn't wait timeout proc to be finished and timeout_del_barrier(9) should be used for that. So use timeout_del_barrier(9) instead of timeout_del(9) and moved it just after refcnt_finalize(9). This fixes potential use-after-free issue in route_detach(). ok mpi@ --- sys/net/rtsock.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 3f8985d6d27..3a1cf04f8ac 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.312 2021/05/01 16:13:13 mvs Exp $ */ +/* $OpenBSD: rtsock.c,v 1.313 2021/05/16 13:09:39 mvs Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -346,9 +346,7 @@ route_detach(struct socket *so) rw_enter(&rtptable.rtp_lk, RW_WRITE); - timeout_del(&rop->rop_timeout); rtptable.rtp_count--; - SRPL_REMOVE_LOCKED(&rtptable.rtp_rc, &rtptable.rtp_list, rop, rtpcb, rop_list); rw_exit(&rtptable.rtp_lk); @@ -357,6 +355,7 @@ route_detach(struct socket *so) /* wait for all references to drop */ refcnt_finalize(&rop->rop_refcnt, "rtsockrefs"); + timeout_del_barrier(&rop->rop_timeout); solock(so); -- cgit v1.2.3