DragonFlyBSD Kernel Audit
← dashboard
DF-0537

TOCTOU race on priv->datasock in ng_connect_data: check unlocked, set under lock

Summary

ng_connect_data(:790-805): if(priv->datasock!=NULL)(:791) checked WITHOUT priv->mtx held. mtx acquired at :800 after which priv->datasock=pcbp written. Two data sockets connecting concurrently both observe datasock==NULL, both take lock serially, both succeed -> priv->datasock=pcbp_b while pcbp_a still refs priv. pcbp_a orphaned: holds priv ref but datasock no longer points back -> refcount imbalance -> UAF on close. Fix: move datasock check inside locked region.