From a7484b3cdb22a3730a0f15d3bee19beb72181087 Mon Sep 17 00:00:00 2001 From: bz Date: Sat, 30 Aug 2008 16:49:36 +0000 Subject: [PATCH] MFC: svn r182056, cvs 1.154 tcp_syncache.c Cache the cred locally in _syncache_add() while holding the locks, so we can be sure that it's valid. In case we abort early free it again else put it into the syncache. We need the cred in the syncache to be able to restrict what will be exportet by the sysctl helper function syncache_pcblist() (to netstat) within jails. PR: kern/126493 --- sys/netinet/tcp_syncache.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 4a5758672aa..5087253d8ec 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -53,6 +53,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include @@ -144,6 +145,7 @@ struct syncache { #ifdef MAC struct label *sc_label; /* MAC label reference */ #endif + struct ucred *sc_cred; /* cred cache for jail checks */ }; #ifdef TCP_OFFLOAD_DISABLE @@ -262,6 +264,8 @@ syncache_free(struct syncache *sc) { if (sc->sc_ipopts) (void) m_free(sc->sc_ipopts); + if (sc->sc_cred) + crfree(sc->sc_cred); #ifdef MAC mac_destroy_syncache(&sc->sc_label); #endif @@ -1021,6 +1025,7 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, struct label *maclabel; #endif struct syncache scs; + struct ucred *cred; INP_INFO_WLOCK_ASSERT(&tcbinfo); INP_WLOCK_ASSERT(inp); /* listen socket */ @@ -1033,6 +1038,7 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, */ so = *lsop; tp = sototcpcb(so); + cred = crhold(so->so_cred); #ifdef INET6 if (inc->inc_isipv6 && @@ -1162,6 +1168,8 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, #ifdef MAC sc->sc_label = maclabel; #endif + sc->sc_cred = cred; + cred = NULL; sc->sc_ipopts = ipopts; sc->sc_inc.inc_fibnum = inp->inp_inc.inc_fibnum; bcopy(inc, &sc->sc_inc, sizeof(struct in_conninfo)); @@ -1281,6 +1289,8 @@ _syncache_add(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th, } done: + if (cred != NULL) + crfree(cred); #ifdef MAC if (sc == &scs) mac_destroy_syncache(&maclabel); @@ -1765,6 +1775,8 @@ syncache_pcblist(struct sysctl_req *req, int max_pcbs, int *pcbs_exported) SCH_UNLOCK(sch); goto exit; } + if (cr_cansee(req->td->td_ucred, sc->sc_cred) != 0) + continue; bzero(&xt, sizeof(xt)); xt.xt_len = sizeof(xt); if (sc->sc_inc.inc_isipv6) -- 2.45.2