summaryrefslogtreecommitdiff
path: root/usr/src/uts
diff options
context:
space:
mode:
authornordmark <none@none>2007-10-25 15:58:10 -0700
committernordmark <none@none>2007-10-25 15:58:10 -0700
commite845e33dd0d1aea22db7edaa8c7d43955d24609b (patch)
treee12bfd621f05597da951940b344a49d77eb97d40 /usr/src/uts
parent0a4e9518a44f226be6d39383330b5b1792d2f184 (diff)
downloadillumos-gate-e845e33dd0d1aea22db7edaa8c7d43955d24609b.tar.gz
6621369 IP_OPTIONS handling in udp and rawip causes panics, uninitialized data
Diffstat (limited to 'usr/src/uts')
-rw-r--r--usr/src/uts/common/inet/ip/icmp.c11
-rw-r--r--usr/src/uts/common/inet/udp/udp.c16
2 files changed, 25 insertions, 2 deletions
diff --git a/usr/src/uts/common/inet/ip/icmp.c b/usr/src/uts/common/inet/ip/icmp.c
index bfae1cd136..e8e8c0a7c5 100644
--- a/usr/src/uts/common/inet/ip/icmp.c
+++ b/usr/src/uts/common/inet/ip/icmp.c
@@ -729,6 +729,7 @@ icmp_close_free(conn_t *connp)
if (icmp->icmp_ip_snd_options != NULL) {
mi_free((char *)icmp->icmp_ip_snd_options);
icmp->icmp_ip_snd_options = NULL;
+ icmp->icmp_ip_snd_options_len = 0;
}
if (icmp->icmp_filter != NULL) {
@@ -743,6 +744,16 @@ icmp_close_free(conn_t *connp)
icmp->icmp_sticky_hdrs_len = 0;
}
ip6_pkt_free(&icmp->icmp_sticky_ipp);
+
+ /*
+ * Clear any fields which the kmem_cache constructor clears.
+ * Only icmp_connp needs to be preserved.
+ * TBD: We should make this more efficient to avoid clearing
+ * everything.
+ */
+ ASSERT(icmp->icmp_connp == connp);
+ bzero(icmp, sizeof (icmp_t));
+ icmp->icmp_connp = connp;
}
static int
diff --git a/usr/src/uts/common/inet/udp/udp.c b/usr/src/uts/common/inet/udp/udp.c
index 9d0a07c9de..5347af5826 100644
--- a/usr/src/uts/common/inet/udp/udp.c
+++ b/usr/src/uts/common/inet/udp/udp.c
@@ -1534,14 +1534,16 @@ udp_close_free(conn_t *connp)
udp_t *udp = connp->conn_udp;
/* If there are any options associated with the stream, free them. */
- if (udp->udp_ip_snd_options) {
+ if (udp->udp_ip_snd_options != NULL) {
mi_free((char *)udp->udp_ip_snd_options);
udp->udp_ip_snd_options = NULL;
+ udp->udp_ip_snd_options_len = 0;
}
- if (udp->udp_ip_rcv_options) {
+ if (udp->udp_ip_rcv_options != NULL) {
mi_free((char *)udp->udp_ip_rcv_options);
udp->udp_ip_rcv_options = NULL;
+ udp->udp_ip_rcv_options_len = 0;
}
/* Free memory associated with sticky options */
@@ -1553,6 +1555,16 @@ udp_close_free(conn_t *connp)
}
ip6_pkt_free(&udp->udp_sticky_ipp);
+
+ /*
+ * Clear any fields which the kmem_cache constructor clears.
+ * Only udp_connp needs to be preserved.
+ * TBD: We should make this more efficient to avoid clearing
+ * everything.
+ */
+ ASSERT(udp->udp_connp == connp);
+ bzero(udp, sizeof (udp_t));
+ udp->udp_connp = connp;
}
/*
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-22 17:43:41 +0000