From owner-freebsd-net  Tue Aug  7  5:47: 0 2001
Delivered-To: freebsd-net@freebsd.org
Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124])
	by hub.freebsd.org (Postfix) with ESMTP id 1E4DD37B401
	for <freebsd-net@FreeBSD.ORG>; Tue,  7 Aug 2001 05:46:57 -0700 (PDT)
	(envelope-from jinmei@isl.rdc.toshiba.co.jp)
Received: from localhost (host217-33-136-94.ietf.ignite.net [217.33.136.94])
	by shuttle.wide.toshiba.co.jp (8.9.1+3.1W/8.9.1) with ESMTP id VAA27360
	for <freebsd-net@FreeBSD.ORG>; Tue, 7 Aug 2001 21:49:43 +0900 (JST)
Date: Tue, 07 Aug 2001 21:44:36 +0900
Message-ID: <y7vvgk082ff.wl@condor.jinmei.org>
From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp>
To: freebsd-net@FreeBSD.ORG
Subject: possible duplicated free in kernel
User-Agent: Wanderlust/2.5.8 (Smooth) Emacs/21.0 Mule/5.0 (SAKAKI)
Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan.
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=US-ASCII
X-Dispatcher: imput version 980905(IM100)
Lines: 51
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

(Probably I have to make a PR...,)

The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
has the following code fragment:

rip6_output()
...
 freectl:
	if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
		RTFREE(optp->ip6po_route.ro_rt);
	if (control) {
		if (optp == &opt)
			ip6_clearpktopts(optp, 0, -1);

Thus, it can call RTFREE inside the function.  However,
ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:

ip6_clearpktopts()
...
		if (pktopt->ip6po_route.ro_rt) {
			RTFREE(pktopt->ip6po_route.ro_rt);
			pktopt->ip6po_route.ro_rt = NULL;
		}

Consequently, optp->ip6po_route.ro_rt can be freed two times,
unexpectedly.

Here is a patch to fix the problem.  Please review it, and merge it
to the repository (hopefully before 4.4-RELEASE.) if acceptable.

Thanks,

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp


*** raw_ip6.c.orig	Tue Aug  7 21:42:30 2001
--- raw_ip6.c	Tue Aug  7 21:42:36 2001
***************
*** 472,479 ****
  		m_freem(m);
  
   freectl:
- 	if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
- 		RTFREE(optp->ip6po_route.ro_rt);
  	if (control) {
  		if (optp == &opt)
  			ip6_clearpktopts(optp, 0, -1);
--- 472,477 ----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message