From owner-freebsd-net@FreeBSD.ORG Tue Jan 3 18:53:39 2012 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47262106566B; Tue, 3 Jan 2012 18:53:39 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1E9E58FC1A; Tue, 3 Jan 2012 18:53:39 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id B300646B0D; Tue, 3 Jan 2012 13:53:38 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 47EA6B944; Tue, 3 Jan 2012 13:53:38 -0500 (EST) From: John Baldwin To: "Bjoern A. Zeeb" Date: Tue, 3 Jan 2012 13:52:44 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) References: <201112231508.52861.jhb@freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201201031352.45069.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Tue, 03 Jan 2012 13:53:38 -0500 (EST) Cc: net@freebsd.org Subject: Re: [PATCH] Use of unreferenced ifa in in6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2012 18:53:39 -0000 On Tuesday, January 03, 2012 12:35:30 pm Bjoern A. Zeeb wrote: > > On 23. Dec 2011, at 20:08 , John Baldwin wrote: > > > The code to handle the SIOCGLIFADDR and SIOCDLIFADDR ioctls in > > in6_lifaddr_ioctl() does not grab a reference to an ifnet address structure > > that it uses after dropping the IF_ADDR_LOCK(). Based on other code that uses > > a similar pattern of finding an ifa while under the lock and then using it > > after dropping the lock, I believe it should be acquiring a reference on the > > ifa and then dropping that reference when it is done using the ifa. This > > (untested) patch should fix this I believe: > > I almost assume it's been tested by now. From reading it looks right. Hmm, I don't have a good way to test it. :( I've booted a GENERIC kernel with it, but I don't have IPv6 setup for my test machines. > /bz > > > Index: in6.c > > =================================================================== > > --- in6.c (revision 228777) > > +++ in6.c (working copy) > > @@ -1767,6 +1767,8 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c > > if (IN6_ARE_ADDR_EQUAL(&candidate, &match)) > > break; > > } > > + if (ifa != NULL) > > + ifa_ref(ifa); > > IF_ADDR_UNLOCK(ifp); > > if (!ifa) > > return EADDRNOTAVAIL; > > @@ -1779,16 +1781,20 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c > > bcopy(&ia->ia_addr, &iflr->addr, ia->ia_addr.sin6_len); > > error = sa6_recoverscope( > > (struct sockaddr_in6 *)&iflr->addr); > > - if (error != 0) > > + if (error != 0) { > > + ifa_free(ifa); > > return (error); > > + } > > > > if ((ifp->if_flags & IFF_POINTOPOINT) != 0) { > > bcopy(&ia->ia_dstaddr, &iflr->dstaddr, > > ia->ia_dstaddr.sin6_len); > > error = sa6_recoverscope( > > (struct sockaddr_in6 *)&iflr->dstaddr); > > - if (error != 0) > > + if (error != 0) { > > + ifa_free(ifa); > > return (error); > > + } > > } else > > bzero(&iflr->dstaddr, sizeof(iflr->dstaddr)); > > > > @@ -1796,6 +1802,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c > > in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); > > > > iflr->flags = ia->ia6_flags; /* XXX */ > > + ifa_free(ifa); > > > > return 0; > > } else { > > @@ -1819,6 +1826,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c > > ia->ia_prefixmask.sin6_len); > > > > ifra.ifra_flags = ia->ia6_flags; > > + ifa_free(ifa); > > return in6_control(so, SIOCDIFADDR_IN6, (caddr_t)&ifra, > > ifp, td); > > } > > > > > > -- > > John Baldwin > > -- > Bjoern A. Zeeb You have to have visions! > It does not matter how good you are. It matters what good you do! > > -- John Baldwin