From 4a0c6403b0ec5c6223c2b798fab231a4fac0a6d1 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Wed, 27 Dec 2023 08:34:37 -0800
Subject: inpcb: poison several inpcb pointer in in_pcbfree()

There are few subsystems that reference inpcb and allow it to outlive
in_pcbfree().  There are no known bugs with them to unreference the
options pointers for a freed inpcb.  Enforce this so that such bugs
don't appear in the future.

Reviewed by:		markj
Differential Revision:	https://reviews.freebsd.org/D43134
---
 sys/netinet/in_pcb.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'sys/netinet/in_pcb.c')

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 63b4fc57230e..fa0d7309058e 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1749,12 +1749,16 @@ in_pcbfree(struct inpcb *inp)
 #ifdef INET
 	if (inp->inp_options)
 		(void)m_free(inp->inp_options);
+	DEBUG_POISON_POINTER(inp->inp_options);
 	imo = inp->inp_moptions;
+	DEBUG_POISON_POINTER(inp->inp_moptions);
 #endif
 #ifdef INET6
 	if (inp->inp_vflag & INP_IPV6PROTO) {
 		ip6_freepcbopts(inp->in6p_outputopts);
+		DEBUG_POISON_POINTER(inp->in6p_outputopts);
 		im6o = inp->in6p_moptions;
+		DEBUG_POISON_POINTER(inp->in6p_moptions);
 	} else
 		im6o = NULL;
 #endif
-- 
cgit v1.2.3