diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2025-07-25 13:10:24 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2025-07-25 17:39:00 +0000 |
| commit | e1751ef896119d7372035b1b60f18a6342bd0e3b (patch) | |
| tree | e3ae3f18b9df4a34f84203e90978c55d11384072 | |
| parent | c6da58bc17fa2cd9d39ad53a5b15b7c74d445df8 (diff) | |
udp: Fix a inpcb refcount leak in the tunnel receive path
When the socket has a tunneling function attached, udp_append() drops
the inpcb lock before calling it. To keep the inpcb alive, we bump the
refcount. After commit 742e7210d00b we only dropped the reference if
the tunnel consumed the packet, but it needs to be dropped in either
case. if_ovpn is the only driver that can trigger this bug.
Fixes: 742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51505
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 11 | ||||
| -rw-r--r-- | sys/netinet6/udp6_usrreq.c | 11 |
2 files changed, 16 insertions, 6 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index dafbaf6dc672..42cfb919e263 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -243,7 +243,6 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, struct sockaddr_in6 udp_in6; #endif struct udpcb *up; - bool filtered; INP_LOCK_ASSERT(inp); @@ -252,13 +251,19 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, */ up = intoudpcb(inp); if (up->u_tun_func != NULL) { + bool filtered; + in_pcbref(inp); INP_RUNLOCK(inp); filtered = (*up->u_tun_func)(n, off, inp, (struct sockaddr *)&udp_in[0], up->u_tun_ctx); INP_RLOCK(inp); - if (filtered) - return (in_pcbrele_rlocked(inp)); + if (in_pcbrele_rlocked(inp)) + return (1); + if (filtered) { + INP_RUNLOCK(inp); + return (1); + } } off += sizeof(struct udphdr); diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 304effa26e01..b3ed16fda713 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -142,7 +142,6 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off, struct socket *so; struct mbuf *opts = NULL, *tmp_opts; struct udpcb *up; - bool filtered; INP_LOCK_ASSERT(inp); @@ -151,13 +150,19 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off, */ up = intoudpcb(inp); if (up->u_tun_func != NULL) { + bool filtered; + in_pcbref(inp); INP_RUNLOCK(inp); filtered = (*up->u_tun_func)(n, off, inp, (struct sockaddr *)&fromsa[0], up->u_tun_ctx); INP_RLOCK(inp); - if (filtered) - return (in_pcbrele_rlocked(inp)); + if (in_pcbrele_rlocked(inp)) + return (1); + if (filtered) { + INP_RUNLOCK(inp); + return (1); + } } off += sizeof(struct udphdr); |