On Sun, Dec 02, 2018 at 11:15:03AM +0100, Claudio Jeker wrote:
> On Sun, Dec 02, 2018 at 09:29:23AM +0100, Claudio Jeker wrote:
> > On Sat, Dec 01, 2018 at 06:44:31PM -0800, Greg Steuck wrote:
> > > This thwarts the reproducer. Again, I don't know if the invariants are
> > > getting violated somewhere else and the patch below is simply papering
> > > over
> > > the symptoms.
> >
> > I would like to better understand how we get so far with a socket where
> > so_pcb is not initiallized. This and also the other bug are baisically the
> > same. The stack assumes that after a successful socket() operation both
> > socket and pcb exist and are a connected. Since this seems to not be
> > the case it is important to catch those errors further up in uipc_socket.c
> > before passing down into protocol specific functions.
> >
>
> So the issue is the double connect() call on the SOCk_RAW socket.
> The second connect is calling PRU_DISCONNECT which in the end does a
> FALLTHROUGH into PRU_ABORT which removes the inp by calling
> in_pcbdetach().
>
> I think the proper fix is to not have this FALLTHROUGH and just call
> soisdisconnected(). Maybe inp->inp_faddr should also be reset to 0.
>
> This will fix also other double connect() SOCk_RAW crashes you spotted.
The version I will commit will also reset inp->inp_faddr since this is
what other protos are doing and it is more correct anyway.
--
:wq Claudio
Index: raw_ip.c
===================================================================
RCS file: /cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.115
diff -u -p -r1.115 raw_ip.c
--- raw_ip.c 10 Nov 2018 18:40:34 -0000 1.115
+++ raw_ip.c 3 Dec 2018 08:13:24 -0000
@@ -385,7 +385,9 @@ rip_usrreq(struct socket *so, int req, s
error = ENOTCONN;
break;
}
- /* FALLTHROUGH */
+ soisdisconnected(so);
+ inp->inp_faddr.s_addr = INADDR_ANY;
+ break;
case PRU_ABORT:
soisdisconnected(so);
if (inp == NULL)
