tcp: improve MAC error handling for SYN segments

Don't leak a maclabel when SYN segments are processed which results in an error due to MD5 signature handling. Tweak the #idef MAC to allow additional upcoming changes. Reviewed by: markj Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D46766 (cherry picked from commit 78e1b031d2)
2026-06-04 14:26:03 -04:00 · 2024-09-26 08:10:01 +02:00 · 2024-09-26 08:10:01 +02:00 · 2f5ac48d9b
commit 2f5ac48d9b
parent 66c7d5365a
1 changed files with 3 additions and 2 deletions
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@ -1382,7 +1382,7 @@ syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 	int autoflowlabel = 0;
 #endif
 #ifdef MAC
-	struct label *maclabel;
+	struct label *maclabel = NULL;
 #endif
 	struct syncache scs;
 	struct ucred *cred;
@ -1773,10 +1773,11 @@ donenoprobe:
 tfo_expanded:
 	if (cred != NULL)
 		crfree(cred);
+	if (sc == NULL || sc == &scs) {
 #ifdef MAC
-	if (sc == &scs)
 		mac_syncache_destroy(&maclabel);
 #endif
+	}
 	return (rv);
 }