Race condition on sequencecheck

[ozaki-r]

There is a race condition on sequencecheck between the main thread and the receiver thread. The main thread calls seqcheck_clear() on RFC2544_RESETTING while the receiver thread calls seqcheck_receive(). seqcheck_receive() tries to update sequence counters and seqcheck_clear() resets its counters. Unfortunately seqcheck_clear() makes a pointer sc_parent NULL transiently in its process, so seqcheck_receive() can touch the NULL pointer and cause a segmentation fault.

We know that a segmentation fault stemming from the race condition occurs on FreeBSD 13.

We probably have to synchronize the threads on RFC2544_RESETTING to avoid the race condition.

[ozaki-r]

sc_parent is transiently NULLed here:

ipgen/gen/sequencecheck.c

Lines 97 to 116 in 4e55696

	static void
	seqcheck_init(struct sequencechecker *sc)
	{
	memset(sc, 0, sizeof(*sc));
	sc->sc_bitmap_start = 0;
	sc->sc_bitmap_end = sc->sc_bitmap_start + SEQ_MAXBIT;
	sc->sc_maxseq = 0;
	sc->sc_needinit = 1;
	}
	void
	seqcheck_clear(struct sequencechecker *sc)
	{
	struct sequencechecker *parent;
	parent = sc->sc_parent; /* save */
	seqcheck_init(sc);
	sc->sc_parent = parent; /* restore */
	}