From owner-svn-src-all@FreeBSD.ORG Thu Apr 23 18:23:08 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD8441065675; Thu, 23 Apr 2009 18:23:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id CAC778FC20; Thu, 23 Apr 2009 18:23:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3NIN8f1096098; Thu, 23 Apr 2009 18:23:08 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3NIN8aY096097; Thu, 23 Apr 2009 18:23:08 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200904231823.n3NIN8aY096097@svn.freebsd.org> From: Robert Watson Date: Thu, 23 Apr 2009 18:23:08 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191435 - in releng/7.2/sys: . contrib/pf dev/ath/ath_hal dev/cxgb net X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Apr 2009 18:23:09 -0000 Author: rwatson Date: Thu Apr 23 18:23:08 2009 New Revision: 191435 URL: http://svn.freebsd.org/changeset/base/191435 Log: Merge r191434 from stable/7 to releng/7.2: In sysctl_ifdata(), query the ifnet pointer using the index only once, rather than querying it, validating it, and then re-querying it without validating it. This may avoid a NULL pointer dereference and resulting kernel page fault if an interface is being deleted while bsnmp or other tools are querying data on the interface. The full fix, to properly refcount the interface for the duration of the sysctl, is in 8.x, but is considered too high-risk for 7.2, so instead will appear in 7.3 (if all goes well). Reported by: mdtancsa Approved by: re (kensmith) Modified: releng/7.2/sys/ (props changed) releng/7.2/sys/contrib/pf/ (props changed) releng/7.2/sys/dev/ath/ath_hal/ (props changed) releng/7.2/sys/dev/cxgb/ (props changed) releng/7.2/sys/net/if_mib.c Modified: releng/7.2/sys/net/if_mib.c ============================================================================== --- releng/7.2/sys/net/if_mib.c Thu Apr 23 17:47:15 2009 (r191434) +++ releng/7.2/sys/net/if_mib.c Thu Apr 23 18:23:08 2009 (r191435) @@ -82,11 +82,9 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XX return EINVAL; if (name[0] <= 0 || name[0] > if_index || - ifnet_byindex(name[0]) == NULL) + (ifp = ifnet_byindex(name[0])) == NULL) return ENOENT; - ifp = ifnet_byindex(name[0]); - switch(name[1]) { default: return ENOENT;