From owner-cvs-all Sun Aug 26 3: 9:53 2001 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E19437B403; Sun, 26 Aug 2001 03:09:48 -0700 (PDT) (envelope-from billf@FreeBSD.org) Received: (from billf@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7QA9mk51468; Sun, 26 Aug 2001 03:09:48 -0700 (PDT) (envelope-from billf) Message-Id: <200108261009.f7QA9mk51468@freefall.freebsd.org> From: Bill Fumerola Date: Sun, 26 Aug 2001 03:09:48 -0700 (PDT) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_fw.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG billf 2001/08/26 03:09:48 PDT Modified files: sys/netinet ip_fw.c Log: the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information about rules and dynamic rules. it later fills this buffer with these rules. it also takes the opporunity to compare the expiration of the dynamic rules with the current time and either marks them for deletion or simply charges the countdown. unfortunatly it does this all (the sizing, the buffer copying, and the expiration GC) with no spl protection whatsoever. it was possible for the dynamic rule(s) to be ripped out from under the request before it had completed, resulting in corrupt memory dereferencing. Reviewed by: ps MFC before: 4.4-RELEASE, hopefully. Revision Changes Path 1.166 +4 -1 src/sys/netinet/ip_fw.c To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message