From 21b7d68bd52a2bbe44cc582dc1ca31de580718cb Mon Sep 17 00:00:00 2001
From: Sepherosa Ziehau <sephe@dragonflybsd.org>
Date: Mon, 20 May 2013 21:44:32 +0800
Subject: [PATCH] syncache: Avoid NULL accessing to tcpcb of the to-be-dropped
 syncache

It is possible that the syncache tcpcb is NULL when overflow happens,
e.g. the corresponding listen socket was closed but the timeout has
not recollected the staled syncache yet.
---
 sys/netinet/tcp_syncache.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index e51c7def5c..c12da3a17a 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -381,7 +381,8 @@ syncache_insert(struct syncache *sc, struct syncache_head *sch)
 		 * The bucket is full, toss the oldest element.
 		 */
 		sc2 = TAILQ_FIRST(&sch->sch_bucket);
-		sc2->sc_tp->ts_recent = ticks;
+		if (sc2->sc_tp != NULL)
+			sc2->sc_tp->ts_recent = ticks;
 		syncache_drop(sc2, sch);
 		tcpstat.tcps_sc_bucketoverflow++;
 	} else if (syncache_percpu->cache_count >= tcp_syncache.cache_limit) {
@@ -398,7 +399,8 @@ syncache_insert(struct syncache *sc, struct syncache_head *sch)
 			if (sc2 != NULL)
 				break;
 		}
-		sc2->sc_tp->ts_recent = ticks;
+		if (sc2->sc_tp != NULL)
+			sc2->sc_tp->ts_recent = ticks;
 		syncache_drop(sc2, NULL);
 		tcpstat.tcps_sc_cacheoverflow++;
 	}
-- 
2.41.0