summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-02-01 19:43:36 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-02-01 19:43:36 +0000
commit1cdc31cf597dc3b03b8b8434623459b3b5d636e3 (patch)
tree5ccaa6dd9341f737b64ea2557ff47dac1b4f2593
parent79315b47bd7ca2660657f573c9db609425f0e7ed (diff)
downloadsrc-test2-1cdc31cf597dc3b03b8b8434623459b3b5d636e3.tar.gz
src-test2-1cdc31cf597dc3b03b8b8434623459b3b5d636e3.zip
MFRELENG_5 sys/netinet/tcp_sack.c rev. 1.3.2.10:
Avoid an infinite loop in sack scoreboard processing when the per-hole limits or global scoreboard limits are reached, or when memory exhaustion occurs. This can occur when an existing hole fails to be split due to limits or memory exhaustion. Security: FreeBSD-SA-06:08.sack Approved by: so (cperciva)
Notes
Notes: svn path=/releng/5.3/; revision=155190
Diffstat
-rw-r--r--UPDATING4
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netinet/tcp_sack.c3
3 files changed, 7 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index 38eab70645a9..9c456af396c8 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,10 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade. Important recent entries: 20040724 (default X changes).
+20060201: p26 FreeBSD-SA-06:08.sack
+ Avoid an infinite loop in sack scoreboard processing which can
+ result from memory exhaustion.
+
20060125: p25 FreeBSD-SA-06:07.pf
Correct an error in pf handling of IP packet fragments which
could result in a kernel panic. [06:07]
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 1bab96111e61..f7912a5b4178 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="5.3"
-BRANCH="RELEASE-p25"
+BRANCH="RELEASE-p26"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index 1cf44f2ba73d..21ac01aba654 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -301,6 +301,7 @@ tcp_sack_option(struct tcpcb *tp, struct tcphdr *th, u_char *cp, int optlen)
tp->snd_numholes = 0;
if (tp->t_maxseg == 0)
panic("tcp_sack_option"); /* Should never happen */
+next_block:
while (tmp_olen > 0) {
struct sackblk sack;
@@ -390,7 +391,7 @@ tcp_sack_option(struct tcpcb *tp, struct tcphdr *th, u_char *cp, int optlen)
temp = (struct sackhole *)
uma_zalloc(sack_hole_zone,M_NOWAIT);
if (temp == NULL)
- continue; /* ENOBUFS */
+ goto next_block; /* ENOBUFS */
temp->next = cur->next;
temp->start = sack.end;
temp->end = cur->end;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 22:44:36 +0000