Skip to content
Permalink
Browse files

In PRU_DISCONNECT don't fall through into PRU_ABORT since the latter …

…frees

the inpcb apart from the disconnect. Just call soisdisconnected() and
clear the inp->inp_faddr since the socket is still valid after a disconnect.
Problem found by syzkaller via Greg Steuck
OK visa@
Fixes:
Reported-by: syzbot+2cd350dfe5c96f6469f2@syzkaller.appspotmail.com
Reported-by: syzbot+139ac2d7d3d60162334b@syzkaller.appspotmail.com
Reported-by: syzbot+02168317bd0156c13b69@syzkaller.appspotmail.com
Reported-by: syzbot+de8d2459ecf4cdc576a1@syzkaller.appspotmail.com
  • Loading branch information...
cjeker committed Dec 3, 2018
1 parent f939acc commit 49729d6ed45fdb32c4f4342f78ea04da53cf6689
Showing with 4 additions and 2 deletions.
  1. +4 −2 sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
/* $OpenBSD: raw_ip.c,v 1.115 2018/11/10 18:40:34 bluhm Exp $ */
/* $OpenBSD: raw_ip.c,v 1.116 2018/12/03 10:10:49 claudio Exp $ */
/* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */

/*
@@ -385,7 +385,9 @@ rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
error = ENOTCONN;
break;
}
/* FALLTHROUGH */
soisdisconnected(so);
inp->inp_faddr.s_addr = INADDR_ANY;
break;
case PRU_ABORT:
soisdisconnected(so);
if (inp == NULL)

0 comments on commit 49729d6

Please sign in to comment.
You can’t perform that action at this time.