From owner-freebsd-net@FreeBSD.ORG Sat Jun 28 18:20:01 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0E1637B401 for ; Sat, 28 Jun 2003 18:20:01 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 155F944029 for ; Sat, 28 Jun 2003 18:20:01 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Sat, 28 Jun 2003 21:19:56 -0400 Message-ID: From: Don Bowman To: "'freebsd-net@freebsd.org'" Date: Sat, 28 Jun 2003 21:19:56 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Subject: using memory after freed in tcp_syncache (syncache_timer()) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jun 2003 01:20:02 -0000 syncache_timer() ... /* * syncache_respond() may call back into the syncache to * to modify another entry, so do not obtain the next * entry on the timer chain until it has completed. */ (void) syncache_respond(sc, NULL); nsc = TAILQ_NEXT(sc, sc_timerq); tcpstat.tcps_sc_retransmitted++; TAILQ_REMOVE(&tcp_syncache.timerq[slot], sc, sc_timerq); so what happens is that syncache_respond() calls ip_output, which ends up calling ip_input, which ends up doing something that causes 'sc' to be freed. Now 'sc' is freed, we return to syncache_timer(), and then we use it in nsc = TAILQ_NEXT(...) line. This particular part of the problem was introduced in 1.23 of tcp_syncache.c in response to another bug that i had found. Does anyone have a suggestion on a proper fix?