From owner-freebsd-current@FreeBSD.ORG Wed Mar 18 23:55:50 2015 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A74A39E7 for ; Wed, 18 Mar 2015 23:55:50 +0000 (UTC) Received: from forward4l.mail.yandex.net (forward4l.mail.yandex.net [IPv6:2a02:6b8:0:1819::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F61C7A for ; Wed, 18 Mar 2015 23:55:50 +0000 (UTC) Received: from smtp3h.mail.yandex.net (smtp3h.mail.yandex.net [84.201.186.20]) by forward4l.mail.yandex.net (Yandex) with ESMTP id 952431441647; Thu, 19 Mar 2015 02:55:38 +0300 (MSK) Received: from smtp3h.mail.yandex.net (localhost [127.0.0.1]) by smtp3h.mail.yandex.net (Yandex) with ESMTP id 179231B42CB6; Thu, 19 Mar 2015 02:55:37 +0300 (MSK) Received: from unknown (unknown [2a02:6b8:0:6::bb]) by smtp3h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id PVtnZki0cj-tbMqZbeD; Thu, 19 Mar 2015 02:55:37 +0300 (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1426722937; bh=asURlY1F4rU/eLc3IpKsoMheZAIzsmjFHJt+r54jtRI=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=GqnhC0yDjlvvoN4DU5l4a/bQCF7JyLPAuDM7EbEWSkhFCy1TimZhbHwGWS+SrGkra FvcpcDcLiU4l8UTXcBqIJoW42cX1vuyTaAXlzxyTJIniYI/t1+SIuEMeMZa04C1uiS WM6YGB1NfhviL5KVHXtwnOS1Er++BS7H4ALHnTLY= Authentication-Results: smtp3h.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <550A1027.4010807@yandex.ru> Date: Thu, 19 Mar 2015 02:54:15 +0300 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Alexandre Martins , 'freebsd-current' Subject: Re: Possible race in IPv6 References: <95157304.ieSUkydfeD@pc-alex> In-Reply-To: <95157304.ieSUkydfeD@pc-alex> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2015 23:55:50 -0000 On 18.03.2015 20:01, Alexandre Martins wrote: > Dear, > > I'm facing some crash around manipulations of IPv6 address. > > I already found that the commit 275593 will fix my issue. > > However, after some code review, i see a possible race in the function > nd6_na_input: > > https://svnweb.freebsd.org/base/head/sys/netinet6/nd6_nbr.c?annotate=279676#l750 > > =-=-=-=-=-=-=-=-=-= > if (ifa > && (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) { > ifa_free(ifa); > nd6_dad_na_input(ifa); > goto freeit; > } > =-=-=-=-=-=-=-=-=-= > > As you can see, the function drop its reference on the address and pass it to > nd6_dad_na_input. > It should be better to release the reference after the call. > > What about you? Hi, Actually nd6_dad_na_input() uses ifa only for addresses comparison, so there shouldn't be some negative impact in this race. But for the better code logic I'll commit this change. Thanks. -- WBR, Andrey V. Elsukov