Mercurial > illumos > illumos-gate
changeset 5330:71aba7712438
6621369 IP_OPTIONS handling in udp and rawip causes panics, uninitialized data
author | nordmark |
---|---|
date | Thu, 25 Oct 2007 15:58:10 -0700 |
parents | 33cb98223b2d |
children | 3047ad28a67b |
files | usr/src/uts/common/inet/ip/icmp.c usr/src/uts/common/inet/udp/udp.c |
diffstat | 2 files changed, 27 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/inet/ip/icmp.c Wed Oct 24 20:00:39 2007 -0700 +++ b/usr/src/uts/common/inet/ip/icmp.c Thu Oct 25 15:58:10 2007 -0700 @@ -729,6 +729,7 @@ if (icmp->icmp_ip_snd_options != NULL) { mi_free((char *)icmp->icmp_ip_snd_options); icmp->icmp_ip_snd_options = NULL; + icmp->icmp_ip_snd_options_len = 0; } if (icmp->icmp_filter != NULL) { @@ -743,6 +744,16 @@ icmp->icmp_sticky_hdrs_len = 0; } ip6_pkt_free(&icmp->icmp_sticky_ipp); + + /* + * Clear any fields which the kmem_cache constructor clears. + * Only icmp_connp needs to be preserved. + * TBD: We should make this more efficient to avoid clearing + * everything. + */ + ASSERT(icmp->icmp_connp == connp); + bzero(icmp, sizeof (icmp_t)); + icmp->icmp_connp = connp; } static int
--- a/usr/src/uts/common/inet/udp/udp.c Wed Oct 24 20:00:39 2007 -0700 +++ b/usr/src/uts/common/inet/udp/udp.c Thu Oct 25 15:58:10 2007 -0700 @@ -1534,14 +1534,16 @@ udp_t *udp = connp->conn_udp; /* If there are any options associated with the stream, free them. */ - if (udp->udp_ip_snd_options) { + if (udp->udp_ip_snd_options != NULL) { mi_free((char *)udp->udp_ip_snd_options); udp->udp_ip_snd_options = NULL; - } - - if (udp->udp_ip_rcv_options) { + udp->udp_ip_snd_options_len = 0; + } + + if (udp->udp_ip_rcv_options != NULL) { mi_free((char *)udp->udp_ip_rcv_options); udp->udp_ip_rcv_options = NULL; + udp->udp_ip_rcv_options_len = 0; } /* Free memory associated with sticky options */ @@ -1553,6 +1555,16 @@ } ip6_pkt_free(&udp->udp_sticky_ipp); + + /* + * Clear any fields which the kmem_cache constructor clears. + * Only udp_connp needs to be preserved. + * TBD: We should make this more efficient to avoid clearing + * everything. + */ + ASSERT(udp->udp_connp == connp); + bzero(udp, sizeof (udp_t)); + udp->udp_connp = connp; } /*