CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/05/04 17:05:17
Modified files:
sys/netinet : in_pcb.c in_pcb.h tcp_input.c
sys/netinet6 : in6_pcb.c
Log message:
Fix race in TCP SYN cache get.
Setting the local and foreign address of a newly created socket did
not happen atomically. During socket setup there was a small window
for an incpb that had a bound laddr, but faddr was emtpy. Although
both listen and new socket are locked during syn_cache_get(),
in_pcblookup_listen() could find the incpb of the new socket. When
a SYN packet of another connection arrived in parallel, it was
processed with the socket under construction instead of the listen
socket.
Setting both faddr and laddr together in in_pcbset_addr() fixes the
race. The relevant code has been copied from in_pcbconnect(). The
table mutex inpt_mtx guarantees that in_pcblookup_listen() finds
the listen socket.
bug found and fix tested by Mark Patruck; OK mvs@
