diff options
| author | Gleb Smirnoff <glebius@FreeBSD.org> | 2023-12-27 16:34:37 +0000 |
|---|---|---|
| committer | Gleb Smirnoff <glebius@FreeBSD.org> | 2023-12-27 16:34:37 +0000 |
| commit | 4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1 (patch) | |
| tree | 0fde267d450838851ab89d78467a1c15493fd453 /sys/netinet/in_pcb.c | |
| parent | a13039e2709277b1c3b159e694cc909a5e044151 (diff) | |
| download | src-4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1.tar.gz src-4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1.zip | |
inpcb: poison several inpcb pointer in in_pcbfree()
There are few subsystems that reference inpcb and allow it to outlive
in_pcbfree(). There are no known bugs with them to unreference the
options pointers for a freed inpcb. Enforce this so that such bugs
don't appear in the future.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D43134
Diffstat (limited to 'sys/netinet/in_pcb.c')
| -rw-r--r-- | sys/netinet/in_pcb.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 63b4fc57230e..fa0d7309058e 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1749,12 +1749,16 @@ in_pcbfree(struct inpcb *inp) #ifdef INET if (inp->inp_options) (void)m_free(inp->inp_options); + DEBUG_POISON_POINTER(inp->inp_options); imo = inp->inp_moptions; + DEBUG_POISON_POINTER(inp->inp_moptions); #endif #ifdef INET6 if (inp->inp_vflag & INP_IPV6PROTO) { ip6_freepcbopts(inp->in6p_outputopts); + DEBUG_POISON_POINTER(inp->in6p_outputopts); im6o = inp->in6p_moptions; + DEBUG_POISON_POINTER(inp->in6p_moptions); } else im6o = NULL; #endif |