mirror of
https://github.com/opnsense/src.git
synced 2026-04-24 23:57:30 -04:00
sdp: Use an mbufq for received control packets.
This is simpler than the hand-rolled queue, and fixes a use-after-free. Sponsored by: EMC / Isilon Storage Division
This commit is contained in:
Mark Johnston
parent
30a71b3c30
commit
2cefa87b0b
3 changed files with 6 additions and 14 deletions
|
|
@ -403,8 +403,7 @@ struct sdp_sock {
|
|||
struct sdp_rx_ring rx_ring;
|
||||
struct sdp_tx_ring tx_ring;
|
||||
struct rwlock lock;
|
||||
struct mbuf *rx_ctl_q;
|
||||
struct mbuf *rx_ctl_tail;
|
||||
struct mbufq rxctlq; /* received control packets */
|
||||
|
||||
int qp_active; /* XXX Flag. */
|
||||
int max_sge;
|
||||
|
|
|
|||
|
|
@ -469,6 +469,7 @@ sdp_attach(struct socket *so, int proto, struct thread *td)
|
|||
ssk->flags = 0;
|
||||
ssk->qp_active = 0;
|
||||
ssk->state = TCPS_CLOSED;
|
||||
mbufq_init(&ssk->rxctlq, INT_MAX);
|
||||
SDP_LIST_WLOCK();
|
||||
LIST_INSERT_HEAD(&sdp_list, ssk, list);
|
||||
sdp_count++;
|
||||
|
|
|
|||
|
|
@ -459,14 +459,9 @@ sdp_process_rx_mb(struct sdp_sock *ssk, struct mbuf *mb)
|
|||
ntohl(rrch->len));
|
||||
}
|
||||
#endif
|
||||
mb->m_nextpkt = NULL;
|
||||
if (ssk->rx_ctl_tail)
|
||||
ssk->rx_ctl_tail->m_nextpkt = mb;
|
||||
else
|
||||
ssk->rx_ctl_q = mb;
|
||||
ssk->rx_ctl_tail = mb;
|
||||
|
||||
return 0;
|
||||
if (mbufq_enqueue(&ssk->rxctlq, mb) != 0)
|
||||
m_freem(mb);
|
||||
return (0);
|
||||
}
|
||||
|
||||
sdp_prf1(sk, NULL, "queueing %s mb\n", mid2str(h->mid));
|
||||
|
|
@ -611,11 +606,8 @@ sdp_do_posts(struct sdp_sock *ssk)
|
|||
return;
|
||||
}
|
||||
|
||||
while ((mb = ssk->rx_ctl_q)) {
|
||||
ssk->rx_ctl_q = mb->m_nextpkt;
|
||||
mb->m_nextpkt = NULL;
|
||||
while ((mb = mbufq_dequeue(&ssk->rxctlq)) != NULL)
|
||||
sdp_process_rx_ctl_mb(ssk, mb);
|
||||
}
|
||||
|
||||
if (ssk->state == TCPS_TIME_WAIT)
|
||||
return;
|
||||
|
|
|
|||
Loading…
Reference in a new issue