Date: Sun, 02 Sep 2007 11:21:37 +0900 From: gnn@freebsd.org To: "Bruce M. Simpson" <bms@freebsd.org> Cc: freebsd-net@freebsd.org, "Christian S.J. Peron" <csjp@freebsd.org> Subject: Re: [csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs] Message-ID: <m2r6lhg632.wl%gnn@neville-neil.com> In-Reply-To: <46D51F4A.1050004@FreeBSD.org> References: <20070828165333.GA14159@sub.vaned.net> <46D48A3D.6080901@FreeBSD.org> <46D51F4A.1050004@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At Wed, 29 Aug 2007 08:24:58 +0100,
Bruce M. Simpson wrote:
>=20
> BTW: Casual inspection with kscope suggests there is a similar=20
> free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and=20
> in_arpinput() (netinet/if_ether.c).
>=20
> nd6_ns_input() references rt-=BBrt_gateway after rtfree(), a potential=20
> race not to mention a use-after-free.
>=20
> I haven't checked Coverity for this, but it just doesn't look right.
At least in the ND6 case I think that the correct logic is:
=3D=3D=3D=3D //depot/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c#1 - /s=
ources/p4/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c =3D=3D=3D=3D
@@ -215,8 +215,6 @@
rt =3D rtalloc1((struct sockaddr *)&tsin6, 0, 0);
need_proxy =3D (rt && (rt->rt_flags & RTF_ANNOUNCE) !=3D 0 &&
rt->rt_gateway->sa_family =3D=3D AF_LINK);
- if (rt)
- rtfree(rt);
if (need_proxy) {
/*
* proxy NDP for single entry
@@ -228,6 +226,9 @@
proxydl =3D SDL(rt->rt_gateway);
}
}
+ if (!need_proxy || ifa =3D=3D NULL)
+ if (rt)
+ rtfree(rt);
}
if (ifa =3D=3D NULL) {
/*
Thoughts?
Best,
George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2r6lhg632.wl%gnn>