Date: Sun, 02 Sep 2007 11:21:37 +0900 From: gnn@freebsd.org To: "Bruce M. Simpson" <bms@freebsd.org> Cc: freebsd-net@freebsd.org, "Christian S.J. Peron" <csjp@freebsd.org> Subject: Re: [csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs] Message-ID: <m2r6lhg632.wl%gnn@neville-neil.com> In-Reply-To: <46D51F4A.1050004@FreeBSD.org> References: <20070828165333.GA14159@sub.vaned.net> <46D48A3D.6080901@FreeBSD.org> <46D51F4A.1050004@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
At Wed, 29 Aug 2007 08:24:58 +0100,
Bruce M. Simpson wrote:
>
> BTW: Casual inspection with kscope suggests there is a similar
> free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and
> in_arpinput() (netinet/if_ether.c).
>
> nd6_ns_input() references rt-ğrt_gateway after rtfree(), a potential
> race not to mention a use-after-free.
>
> I haven't checked Coverity for this, but it just doesn't look right.
At least in the ND6 case I think that the correct logic is:
==== //depot/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c#1 - /sources/p4/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c ====
@@ -215,8 +215,6 @@
rt = rtalloc1((struct sockaddr *)&tsin6, 0, 0);
need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
rt->rt_gateway->sa_family == AF_LINK);
- if (rt)
- rtfree(rt);
if (need_proxy) {
/*
* proxy NDP for single entry
@@ -228,6 +226,9 @@
proxydl = SDL(rt->rt_gateway);
}
}
+ if (!need_proxy || ifa == NULL)
+ if (rt)
+ rtfree(rt);
}
if (ifa == NULL) {
/*
Thoughts?
Best,
George
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2r6lhg632.wl%gnn>