CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2025/06/11 08:30:07
Modified files:
sys/netinet : tcp_input.c
Log message:
Fix socket leak in TCP SYN cache.
My socket reference counting commit tcp_input.c rev 1.450 has
introduced a socket leak. This resulted in mbufs lying in the
socket buffers not beeing freed.
The TCP SYN cache called soref() to avoid freeing the socket when
it was working with it. But the unref got lost when socket reference
count moved into the inp.
We have to hold the reference over tcp_drop() in the abort case to
unlock the socket afterwards. But tcp_drop() removes the inpcb
from the table and drops this reference. Call in_pcbref() instead
of soref() to have references for both inp and so. After tcp_drop()
call in_pcbsounlock() and in_pcbunref(). Then the memory is freed
in the final step. While there move m_freem() out of the socket
lock.
When syn_cache_get() returns the socket successfully, keep the
reference count on the inp. Then tcp_input() can work with this
inpcb and unref it at the end.
OK mvs@; commit it claudio@; tested by job@
