Date: Thu, 19 Mar 2015 02:54:15 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Alexandre Martins <alexandre.martins@stormshield.eu>, 'freebsd-current' <freebsd-current@freebsd.org> Subject: Re: Possible race in IPv6 Message-ID: <550A1027.4010807@yandex.ru> In-Reply-To: <95157304.ieSUkydfeD@pc-alex> References: <95157304.ieSUkydfeD@pc-alex>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18.03.2015 20:01, Alexandre Martins wrote: > Dear, > > I'm facing some crash around manipulations of IPv6 address. > > I already found that the commit 275593 will fix my issue. > > However, after some code review, i see a possible race in the function > nd6_na_input: > > https://svnweb.freebsd.org/base/head/sys/netinet6/nd6_nbr.c?annotate=279676#l750 > > =-=-=-=-=-=-=-=-=-= > if (ifa > && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { > ifa_free(ifa); > nd6_dad_na_input(ifa); > goto freeit; > } > =-=-=-=-=-=-=-=-=-= > > As you can see, the function drop its reference on the address and pass it to > nd6_dad_na_input. > It should be better to release the reference after the call. > > What about you? Hi, Actually nd6_dad_na_input() uses ifa only for addresses comparison, so there shouldn't be some negative impact in this race. But for the better code logic I'll commit this change. Thanks. -- WBR, Andrey V. Elsukov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?550A1027.4010807>