From owner-cvs-src@FreeBSD.ORG Thu Nov 27 11:09:56 2003 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2C3216A4CE; Thu, 27 Nov 2003 11:09:56 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C78C43FDF; Thu, 27 Nov 2003 11:09:55 -0800 (PST) (envelope-from sam@errno.com) Received: from 66.127.85.91 ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id hARJ9rHQ078816 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 27 Nov 2003 11:09:54 -0800 (PST) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Date: Thu, 27 Nov 2003 11:12:34 -0800 User-Agent: KMail/1.5.3 References: <200311270940.hAR9eEIx089417@repoman.freebsd.org> In-Reply-To: <200311270940.hAR9eEIx089417@repoman.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200311271112.34831.sam@errno.com> Subject: Re: cvs commit: src/sys/netinet ip_fw2.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 19:09:56 -0000 On Thursday 27 November 2003 01:40 am, Andre Oppermann wrote: > andre 2003/11/27 01:40:14 PST > > FreeBSD src repository > > Modified files: > sys/netinet ip_fw2.c > Log: > Fix verify_rev_path() function. The author of this function tried to > cut corners which completely broke down when the routing table locking > was introduced. The locking actually was unrelated to the problem. The problem was that the code held a reference to a routing table entry w/o bumping the reference count. The bug was identified because RTFREE (via RTFREE_LOCKED) zero's the argument after freeing the reference to safeguard "use after free" bugs. This however zero'd the pointer that was being held in static memory as a cache and broke the logic of the code. This in turn broke the expected behaviour and caused someone to notice something was wrong. The existing code was a potential landmine because there was no guarantee the held reference was valid. I note that this same problem exists in -stable... Sam