1695 tcp_icmp_input sends packets with a closed connection
Reviewed by: Bryan Cantrill <
[email protected]>
Reviewed by: Richard Lowe <
[email protected]>
Reviewed by: Dan McDonald <
[email protected]>
Reviewed by: Garrett D'Amore <
[email protected]>
Approved by: Richard Lowe <
[email protected]>
--- a/usr/src/uts/common/inet/tcp/tcp_input.c Sun May 15 23:44:52 2011 +0100
+++ b/usr/src/uts/common/inet/tcp/tcp_input.c Fri Oct 28 20:17:44 2011 -0400
@@ -22,6 +22,7 @@
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright 2011 Nexenta Systems, Inc. All rights reserved.
+ * Copyright (c) 2011 Joyent, Inc. All rights reserved.
*/
/* This file contains all TCP input processing functions. */
@@ -5536,6 +5537,16 @@
ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
/*
+ * It's possible we have a closed, but not yet destroyed, TCP
+ * connection. Several fields (e.g. conn_ixa->ixa_ire) are invalid
+ * in the closed state, so don't take any chances and drop the packet.
+ */
+ if (tcp->tcp_state == TCPS_CLOSED) {
+ freemsg(mp);
+ return;
+ }
+
+ /*
* Verify IP version. Anything other than IPv4 or IPv6 packet is sent
* upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
*/