network - raw_input needs further protection
authorMatthew Dillon <dillon@laptop2.(none)>
Sat, 11 Sep 2010 11:58:35 +0000 (11:58 +0000)
committerMatthew Dillon <dillon@laptop2.(none)>
Sat, 11 Sep 2010 11:58:35 +0000 (11:58 +0000)
* We also need the so_rcv.ssb_token to protect against userland

sys/net/raw_usrreq.c

index 8c232b6..cfc7f30 100644 (file)
@@ -109,6 +109,7 @@ raw_input(struct mbuf *m0, const struct sockproto *proto,
 
                        n = m_copypacket(m, MB_DONTWAIT);
                        if (n != NULL) {
+                               lwkt_gettoken(&last->so_rcv.ssb_token);
                                if (ssb_appendaddr(&last->so_rcv, src, n,
                                                 NULL) == 0) {
                                        /* should notify about lost packet */
@@ -116,15 +117,18 @@ raw_input(struct mbuf *m0, const struct sockproto *proto,
                                } else {
                                        sorwakeup(last);
                                }
+                               lwkt_reltoken(&last->so_rcv.ssb_token);
                        }
                }
                last = rp->rcb_socket;
        }
        if (last) {
+               lwkt_gettoken(&last->so_rcv.ssb_token);
                if (ssb_appendaddr(&last->so_rcv, src, m, NULL) == 0)
                        m_freem(m);
                else
                        sorwakeup(last);
+               lwkt_reltoken(&last->so_rcv.ssb_token);
        } else {
                m_freem(m);
        }