Date: Wed, 8 Aug 2001 09:04:18 +0800 From: "David Xu" <bsddiy@163.net> To: <freebsd-net@FreeBSD.ORG>, <jinmei@isl.rdc.toshiba.co.jp> Subject: Re: possible duplicated free in kernel Message-ID: <001601c11fa6$0d4ce560$6201a8c0@William> References: <y7vvgk082ff.wl@condor.jinmei.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Why don't you report it via PR? I suspect most patches will be lost in this mailling list.
--
David Xu
----- Original Message -----
From: <JINMEI Tatuya / $B?@L@C#:H (B <jinmei@isl.rdc.toshiba.co.jp>)>
To: <freebsd-net@FreeBSD.ORG>
Sent: Tuesday, August 07, 2001 8:44 PM
Subject: possible duplicated free in kernel
> (Probably I have to make a PR...,)
>
> The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
> has the following code fragment:
>
> rip6_output()
> ..
> freectl:
> if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
> RTFREE(optp->ip6po_route.ro_rt);
> if (control) {
> if (optp == &opt)
> ip6_clearpktopts(optp, 0, -1);
>
> Thus, it can call RTFREE inside the function. However,
> ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:
>
> ip6_clearpktopts()
> ..
> if (pktopt->ip6po_route.ro_rt) {
> RTFREE(pktopt->ip6po_route.ro_rt);
> pktopt->ip6po_route.ro_rt = NULL;
> }
>
> Consequently, optp->ip6po_route.ro_rt can be freed two times,
> unexpectedly.
>
> Here is a patch to fix the problem. Please review it, and merge it
> to the repository (hopefully before 4.4-RELEASE.) if acceptable.
>
> Thanks,
>
> JINMEI, Tatuya
> Communication Platform Lab.
> Corporate R&D Center, Toshiba Corp.
> jinmei@isl.rdc.toshiba.co.jp
>
>
> *** raw_ip6.c.orig Tue Aug 7 21:42:30 2001
> --- raw_ip6.c Tue Aug 7 21:42:36 2001
> ***************
> *** 472,479 ****
> m_freem(m);
>
> freectl:
> - if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
> - RTFREE(optp->ip6po_route.ro_rt);
> if (control) {
> if (optp == &opt)
> ip6_clearpktopts(optp, 0, -1);
> --- 472,477 ----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001601c11fa6$0d4ce560$6201a8c0>