in the great unp_gc rewrite, a null check was lost. we have spent some

time investigating and arguing about whether a NULL fp is a bug or not,
but what has become clear is that NULL fps get passed to unp_discard
and have been for quite some time.
restore old accomodating behavior by checking for null in unp_gc.
ok deraadt kettenis

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 60e4f11..ea4c716 100644 (file)
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: uipc_usrreq.c,v 1.98 2016/07/12 13:19:14 deraadt Exp $        */
+/*     $OpenBSD: uipc_usrreq.c,v 1.99 2016/07/12 14:28:02 tedu Exp $   */
 /*     $NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $        */
 
 /*
@@ -898,6 +898,8 @@ unp_gc(void *arg __unused)
                for (i = 0; i < defer->ud_n; i++) {
                        memcpy(&fp, &((struct file **)(defer + 1))[i],
                            sizeof(fp));
+                       if (fp == NULL)
+                               continue;
                        FREF(fp);
                        if ((unp = fptounp(fp)) != NULL)
                                unp->unp_msgcount--;