From owner-cvs-all@FreeBSD.ORG Thu Nov 24 18:56:30 2005 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01B3316A41F; Thu, 24 Nov 2005 18:56:30 +0000 (GMT) (envelope-from ru@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id C687A43D5A; Thu, 24 Nov 2005 18:56:16 +0000 (GMT) (envelope-from ru@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id jAOIuFxR020176; Thu, 24 Nov 2005 18:56:15 GMT (envelope-from ru@repoman.freebsd.org) Received: (from ru@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id jAOIuFgK020175; Thu, 24 Nov 2005 18:56:15 GMT (envelope-from ru) Message-Id: <200511241856.jAOIuFgK020175@repoman.freebsd.org> From: Ruslan Ermilov Date: Thu, 24 Nov 2005 18:56:14 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/net if_clone.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 18:56:30 -0000 ru 2005-11-24 18:56:14 UTC FreeBSD src repository Modified files: sys/net if_clone.c Log: Fix the following bugs: - In ifc_name2unit(), disallow leading zeroes in a unit. Exploit: ifconfig lo01 create - In ifc_name2unit(), properly handle overflows. Otherwise, either of two local panic()'s can occur, either because no interface with such a name could be found after it was successfully created, or because the code will bogusly assume that it's a wildcard (unit < 0 due to overflow). Exploit: ifconfig lo create - Previous revision made the following sequence trigger a KASSERT() failure in queue(3): Exploit: ifconfig lo0 destroy; ifconfig lo0 destroy This is because IFC_IFLIST_REMOVE() is always called before ifc->ifc_destroy() has been run, not accounting for the fact that the latter can fail and leave the interface operating (like is the case for "lo0"). So we ended up calling LIST_REMOVE() twice. We cannot defer IFC_IFLIST_REMOVE() until after a call to ifc->ifc_destroy() because the ifnet may have been removed and its memory has been freed, so recover from this by re-inserting the ifnet in the cloned interfaces list if ifc->ifc_destroy() indicates a failure. Revision Changes Path 1.9 +20 -5 src/sys/net/if_clone.c