diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2024-09-26 06:10:01 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2024-09-26 06:10:01 +0000 |
commit | 78e1b031d2e8ef0e1cbc8874891f5476dc7868bc (patch) | |
tree | ea9ddc5cb18e3e163861ad1226f85b53b0ee1d8c | |
parent | 2fb778fab893b4a8a86ecfa20acf2e23bb2cdae8 (diff) | |
download | src-78e1b031d2e8.tar.gz src-78e1b031d2e8.zip |
tcp: improve MAC error handling for SYN segments
Don't leak a maclabel when SYN segments are processed which results
in an error due to MD5 signature handling.
Tweak the #idef MAC to allow additional upcoming changes.
Reviewed by: markj
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D46766
-rw-r--r-- | sys/netinet/tcp_syncache.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 80bf12474c1c..ed131421207d 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1372,7 +1372,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, int autoflowlabel = 0; #endif #ifdef MAC - struct label *maclabel; + struct label *maclabel = NULL; #endif struct syncache scs; struct ucred *cred; @@ -1763,10 +1763,11 @@ donenoprobe: tfo_expanded: if (cred != NULL) crfree(cred); + if (sc == NULL || sc == &scs) { #ifdef MAC - if (sc == &scs) mac_syncache_destroy(&maclabel); #endif + } return (rv); } |