Date: Thu, 27 Nov 2003 11:12:34 -0800 From: Sam Leffler <sam@errno.com> To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw2.c Message-ID: <200311271112.34831.sam@errno.com> In-Reply-To: <200311270940.hAR9eEIx089417@repoman.freebsd.org> References: <200311270940.hAR9eEIx089417@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 27 November 2003 01:40 am, Andre Oppermann wrote: > andre 2003/11/27 01:40:14 PST > > FreeBSD src repository > > Modified files: > sys/netinet ip_fw2.c > Log: > Fix verify_rev_path() function. The author of this function tried to > cut corners which completely broke down when the routing table locking > was introduced. The locking actually was unrelated to the problem. The problem was that the code held a reference to a routing table entry w/o bumping the reference count. The bug was identified because RTFREE (via RTFREE_LOCKED) zero's the argument after freeing the reference to safeguard "use after free" bugs. This however zero'd the pointer that was being held in static memory as a cache and broke the logic of the code. This in turn broke the expected behaviour and caused someone to notice something was wrong. The existing code was a potential landmine because there was no guarantee the held reference was valid. I note that this same problem exists in -stable... Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311271112.34831.sam>