upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

tcp: improve ref count handling when processing SYN

Browse source 
Don't leak a reference count for so->so_cred when processing an
incoming SYN segment with an on-stack syncache entry and the
sysctl variable net.inet.tcp.syncache.see_other is false.

Reviewed by:		cc, markj, rscheff
Sponsored by:		Netflix, Inc.
Pull Request:		https://reviews.freebsd.org/D46793

(cherry picked from commit cbc9438f0505bd971e9eba635afdae38a267d76e)
This commit is contained in:
Michael Tuexen 2024-09-28 22:06:41 +02:00
parent 2f5ac48d9b
commit 00c3c39fcc
1 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
sys/netinet/tcp_syncache.c
View file

@ -1385,7 +1385,6 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
struct label *maclabel = NULL;
#endif
struct syncache scs;
struct ucred *cred;
uint64_t tfo_response_cookie;
unsigned int *tfo_pending = NULL;
int tfo_cookie_valid = 0;
@ -1402,7 +1401,6 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
*/
KASSERT(SOLISTENING(so), ("%s: %p not listening", __func__, so));
tp = sototcpcb(so);
cred = V_tcp_syncache.see_other ? NULL : crhold(so->so_cred);
#ifdef INET6
if (inc->inc_flags & INC_ISIPV6) {
@ -1633,9 +1631,21 @@ skip_alloc:
#ifdef MAC
sc->sc_label = maclabel;
#endif
sc->sc_cred = cred;
/*
* sc_cred is only used in syncache_pcblist() to list TCP endpoints in
* TCPS_SYN_RECEIVED state when V_tcp_syncache.see_other is false.
* Therefore, store the credentials and take a reference count only
* when needed:
* - sc is allocated from the zone and not using the on stack instance.
* - the sysctl variable net.inet.tcp.syncache.see_other is false.
* The reference count is decremented when a zone allocated sc is
* freed in syncache_free().
*/
if (sc != &scs && !V_tcp_syncache.see_other)
sc->sc_cred = crhold(so->so_cred);
else
sc->sc_cred = NULL;
sc->sc_port = port;
cred = NULL;
sc->sc_ipopts = ipopts;
bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo));
sc->sc_ip_tos = ip_tos;
@ -1771,8 +1781,6 @@ donenoprobe:
tcp_fastopen_decrement_counter(tfo_pending);
tfo_expanded:
if (cred != NULL)
crfree(cred);
if (sc == NULL || sc == &scs) {
#ifdef MAC
mac_syncache_destroy(&maclabel);