Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Oct 2023 14:34:20 GMT
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 41023d85b3bc - releng/14.0 - netlink: fix accessing freed memory
Message-ID:  <202310101434.39AEYKZ2005058@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/14.0 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=41023d85b3bc43cb421f46bb35cf75201542c528

commit 41023d85b3bc43cb421f46bb35cf75201542c528
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2023-09-30 15:11:57 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2023-10-10 14:33:37 +0000

    netlink: fix accessing freed memory
    
    The check for if_addrlen in dump_iface() is not sufficient to determine
    if we still have a valid if_addr.  Rather than directly accessing if_addr
    check the STAILQ (for the first entry).
    This avoids panics when destroying cloned interfaces as experienced with
    net80211 wlan ones.
    
    Sponsored by:   The FreeBSD Foundation
    Approved by:    re (gjb)
    Reviewed by:    jhibbits (earlier version), kp
    Differential Revision: https://reviews.freebsd.org/D42027
    
    (cherry picked from commit 7d48224073ce14f0dd3db2d4e96876ac928b52f2)
    (cherry picked from commit 8bda9f9c56a997d851e8fc2c20b5e37f072ecb4a)
---
 sys/netlink/route/iface.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/netlink/route/iface.c b/sys/netlink/route/iface.c
index e1939c7681de..b6e120933f83 100644
--- a/sys/netlink/route/iface.c
+++ b/sys/netlink/route/iface.c
@@ -292,6 +292,7 @@ static bool
 dump_iface(struct nl_writer *nw, if_t ifp, const struct nlmsghdr *hdr,
     int if_flags_mask)
 {
+	struct epoch_tracker et;
         struct ifinfomsg *ifinfo;
 
         NL_LOG(LOG_DEBUG3, "dumping interface %s data", if_name(ifp));
@@ -321,11 +322,15 @@ dump_iface(struct nl_writer *nw, if_t ifp, const struct nlmsghdr *hdr,
         nlattr_add_u8(nw, IFLA_PROTO_DOWN, val);
         nlattr_add_u8(nw, IFLA_LINKMODE, val);
 */
-        if (if_getaddrlen(ifp) != 0) {
-		struct ifaddr *ifa = if_getifaddr(ifp);
+	if (if_getaddrlen(ifp) != 0) {
+		struct ifaddr *ifa;
 
-                dump_sa(nw, IFLA_ADDRESS, ifa->ifa_addr);
-        }
+		NET_EPOCH_ENTER(et);
+		ifa = CK_STAILQ_FIRST(&ifp->if_addrhead);
+		if (ifa != NULL)
+			dump_sa(nw, IFLA_ADDRESS, ifa->ifa_addr);
+		NET_EPOCH_EXIT(et);
+	}
 
         if ((if_getbroadcastaddr(ifp) != NULL)) {
 		nlattr_add(nw, IFLA_BROADCAST, if_getaddrlen(ifp),

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310101434.39AEYKZ2005058>