aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2024-09-26 06:10:01 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2024-09-26 06:10:01 +0000
commit78e1b031d2e8ef0e1cbc8874891f5476dc7868bc (patch)
treeea9ddc5cb18e3e163861ad1226f85b53b0ee1d8c
parent2fb778fab893b4a8a86ecfa20acf2e23bb2cdae8 (diff)
downloadsrc-78e1b031d2e8.tar.gz
src-78e1b031d2e8.zip
tcp: improve MAC error handling for SYN segments
Don't leak a maclabel when SYN segments are processed which results in an error due to MD5 signature handling. Tweak the #idef MAC to allow additional upcoming changes. Reviewed by: markj MFC after: 1 week Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D46766
-rw-r--r--sys/netinet/tcp_syncache.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 80bf12474c1c..ed131421207d 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1372,7 +1372,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
int autoflowlabel = 0;
#endif
#ifdef MAC
- struct label *maclabel;
+ struct label *maclabel = NULL;
#endif
struct syncache scs;
struct ucred *cred;
@@ -1763,10 +1763,11 @@ donenoprobe:
tfo_expanded:
if (cred != NULL)
crfree(cred);
+ if (sc == NULL || sc == &scs) {
#ifdef MAC
- if (sc == &scs)
mac_syncache_destroy(&maclabel);
#endif
+ }
return (rv);
}