diff options
author | Mark Johnston <markj@FreeBSD.org> | 2021-09-18 14:38:39 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2021-09-18 14:38:39 +0000 |
commit | 50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51 (patch) | |
tree | c3311c4faa5d4220784c3124d1069ae936945c9a | |
parent | 8e496ea1df1f00ea7832eb41754dbbb56dd244c8 (diff) | |
download | src-50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51.tar.gz src-50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51.zip |
unix: Fix a use-after-free in unp_drop()
We need to load the socket pointer after locking the PCB, otherwise
the socket may have been detached and freed by the time that unp_drop()
sets so_error.
This previously went unnoticed as the socket zone was _NOFREE.
Reported by: pho
MFC after: 1 week
-rw-r--r-- | sys/kern/uipc_usrreq.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 5add930bfa8e..0ee29143c731 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1971,7 +1971,7 @@ unp_shutdown(struct unpcb *unp) static void unp_drop(struct unpcb *unp) { - struct socket *so = unp->unp_socket; + struct socket *so; struct unpcb *unp2; /* @@ -1981,6 +1981,7 @@ unp_drop(struct unpcb *unp) */ UNP_PCB_LOCK(unp); + so = unp->unp_socket; if (so) so->so_error = ECONNRESET; if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) { |