From e6318d168ae70dc7989315890b51cd182ceeb103 Mon Sep 17 00:00:00 2001
From: Matthew Dillon <dillon@laptop2.(none)>
Date: Sat, 11 Sep 2010 09:32:24 +0000
Subject: [PATCH] network - Fixes for wpa, general sockets.

* netisr_characterize() was not properly handling unknown
  characterizations (array overflow).

* The raw protocol was not MPSAFE.

* Protect kqinfo->ki_mlist in sowakeup
---
 sys/kern/uipc_socket2.c |  2 ++
 sys/net/netisr.c        | 11 +++++++++--
 sys/net/raw_usrreq.c    |  6 ++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c
index 4369da5548..9abd2ae69f 100644
--- a/sys/kern/uipc_socket2.c
+++ b/sys/kern/uipc_socket2.c
@@ -468,6 +468,7 @@ sowakeup(struct socket *so, struct signalsockbuf *ssb)
 	if (ssb->ssb_flags & SSB_MEVENT) {
 		struct netmsg_so_notify *msg, *nmsg;
 
+		lwkt_gettoken(&kq_token);
 		TAILQ_FOREACH_MUTABLE(msg, &kqinfo->ki_mlist, nm_list, nmsg) {
 			if (msg->nm_predicate(&msg->nm_netmsg)) {
 				TAILQ_REMOVE(&kqinfo->ki_mlist, msg, nm_list);
@@ -477,6 +478,7 @@ sowakeup(struct socket *so, struct signalsockbuf *ssb)
 		}
 		if (TAILQ_EMPTY(&ssb->ssb_kq.ki_mlist))
 			atomic_clear_int(&ssb->ssb_flags, SSB_MEVENT);
+		lwkt_reltoken(&kq_token);
 	}
 }
 
diff --git a/sys/net/netisr.c b/sys/net/netisr.c
index baf005ed57..cfa4866672 100644
--- a/sys/net/netisr.c
+++ b/sys/net/netisr.c
@@ -357,11 +357,18 @@ netisr_characterize(int num, struct mbuf **mp, int hoff)
 	/*
 	 * Validation
 	 */
-	KASSERT((num > 0 && num <= (sizeof(netisrs)/sizeof(netisrs[0]))),
-		("Bad isr %d", num));
 	m = *mp;
 	KKASSERT(m != NULL);
 
+	if (num < 0 || num >= NETISR_MAX) {
+		if (num == NETISR_MAX) {
+			m->m_flags |= M_HASH;
+			m->m_pkthdr.hash = 0;
+			return;
+		}
+		panic("Bad isr %d", num);
+	}
+
 	/*
 	 * Valid netisr?
 	 */
diff --git a/sys/net/raw_usrreq.c b/sys/net/raw_usrreq.c
index 1e87404230..8c232b6566 100644
--- a/sys/net/raw_usrreq.c
+++ b/sys/net/raw_usrreq.c
@@ -48,6 +48,9 @@
 
 #include <net/raw_cb.h>
 
+
+static struct lwkt_token raw_token = LWKT_TOKEN_MP_INITIALIZER(raw_token);
+
 /*
  * Initialize raw connection block q.
  */
@@ -78,6 +81,8 @@ raw_input(struct mbuf *m0, const struct sockproto *proto,
 	struct mbuf *m = m0;
 	struct socket *last;
 
+	lwkt_gettoken(&raw_token);
+
 	last = NULL;
 	LIST_FOREACH(rp, &rawcb_list, list) {
 		if (rp == skip)
@@ -123,6 +128,7 @@ raw_input(struct mbuf *m0, const struct sockproto *proto,
 	} else {
 		m_freem(m);
 	}
+	lwkt_reltoken(&raw_token);
 }
 
 /*ARGSUSED*/
-- 
2.41.0