Date: Mon, 27 May 2019 12:41:41 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r348303 - head/sys/net Message-ID: <201905271241.x4RCffTm047128@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Mon May 27 12:41:41 2019 New Revision: 348303 URL: https://svnweb.freebsd.org/changeset/base/348303 Log: Fix possible NULL pointer dereference. bpf_mtap() can invoke catchpacket() for already detached descriptor. And this can lead to NULL pointer dereference, since bd_bif pointer was reset to NULL in bpf_detachd_locked(). To avoid this, use NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors list. After the wait it is safe to modify descriptor's content. Submitted by: kib Reported by: slavash MFC after: 1 week Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c ============================================================================== --- head/sys/net/bpf.c Mon May 27 06:37:23 2019 (r348302) +++ head/sys/net/bpf.c Mon May 27 12:41:41 2019 (r348303) @@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) /* Check if descriptor is attached */ if ((bp = d->bd_bif) == NULL) return; + /* + * Remove d from the interface's descriptor list. + * And wait until bpf_[m]tap*() will finish their possible work + * with descriptor. + */ + CK_LIST_REMOVE(d, bd_next); + NET_EPOCH_WAIT(); BPFD_LOCK(d); - /* Remove d from the interface's descriptor list. */ - CK_LIST_REMOVE(d, bd_next); /* Save bd_writer value */ error = d->bd_writer; ifp = bp->bif_ifp;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905271241.x4RCffTm047128>