Module Name: src
Committed By: maxv
Date: Sat Nov 16 10:15:10 UTC 2019
Modified Files:
src/sys/netinet: tcp_input.c
Log Message:
Call rtcache_unref() only when the checks succeed, instead of relying on
another NULL check in rtcache_unref().
Because, in order to resolve the address of the second argument, we do a
dereference on 'tp', which is theoretically allowed to be NULL. The five
callers of nd6_hint() never pass a NULL argument however, so by luck the
actual NULL deref never happens.
Maybe the NULL check on 'tp' in should be replaced to a KASSERT ensuring
it isn't NULL, for clarity.
Reported by kUBSan.
To generate a diff of this commit:
cvs rdiff -u -r1.416 -r1.417 src/sys/netinet/tcp_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_input.c
diff -u src/sys/netinet/tcp_input.c:1.416 src/sys/netinet/tcp_input.c:1.417
--- src/sys/netinet/tcp_input.c:1.416 Wed Sep 25 19:06:30 2019
+++ src/sys/netinet/tcp_input.c Sat Nov 16 10:15:10 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.416 2019/09/25 19:06:30 jnemeth Exp $ */
+/* $NetBSD: tcp_input.c,v 1.417 2019/11/16 10:15:10 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.416 2019/09/25 19:06:30 jnemeth Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.417 2019/11/16 10:15:10 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -260,9 +260,10 @@ nd6_hint(struct tcpcb *tp)
struct rtentry *rt = NULL;
if (tp != NULL && tp->t_in6pcb != NULL && tp->t_family == AF_INET6 &&
- (rt = rtcache_validate(&tp->t_in6pcb->in6p_route)) != NULL)
+ (rt = rtcache_validate(&tp->t_in6pcb->in6p_route)) != NULL) {
nd6_nud_hint(rt);
- rtcache_unref(rt, &tp->t_in6pcb->in6p_route);
+ rtcache_unref(rt, &tp->t_in6pcb->in6p_route);
+ }
}
#else
static inline void
