diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-09-18 14:38:39 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-09-25 00:59:20 +0000 |
| commit | 6955c22001b13b0a3315be5f4c957c2a853ad43e (patch) | |
| tree | 865f78578346461b21044e70b1abbf41c9a14ea3 | |
| parent | 5a9ecb0b1505b4830c67b586164be7593ba32bf4 (diff) | |
| download | src-6955c22001b13b0a3315be5f4c957c2a853ad43e.tar.gz src-6955c22001b13b0a3315be5f4c957c2a853ad43e.zip | |
unix: Fix a use-after-free in unp_drop()
We need to load the socket pointer after locking the PCB, otherwise
the socket may have been detached and freed by the time that unp_drop()
sets so_error.
This previously went unnoticed as the socket zone was _NOFREE.
Reported by: pho
(cherry picked from commit 50b07c1f7131fd535bbe1b53a3a2e4dfcdcc2e51)
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 3d7daac42001..5dca0714c400 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1962,7 +1962,7 @@ unp_shutdown(struct unpcb *unp) static void unp_drop(struct unpcb *unp) { - struct socket *so = unp->unp_socket; + struct socket *so; struct unpcb *unp2; /* @@ -1972,6 +1972,7 @@ unp_drop(struct unpcb *unp) */ UNP_PCB_LOCK(unp); + so = unp->unp_socket; if (so) so->so_error = ECONNRESET; if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) { |