Date: Fri, 3 Feb 2006 18:05:04 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_dummynet.c Message-ID: <20060203160504.GH10228@ip.net.ua> In-Reply-To: <200602031138.k13BcK09081443@repoman.freebsd.org> References: <200602031138.k13BcK09081443@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Fri, Feb 03, 2006 at 11:38:19AM +0000, Gleb Smirnoff wrote: > glebius 2006-02-03 11:38:19 UTC > > FreeBSD src repository > > Modified files: > sys/netinet ip_dummynet.c > Log: > Dropping the lock in the transmit_event() is not safe, because we > store some pipe pointers on stack. If user reconfigures dummynet > in the interlock gap, we can work with freed pipes after relock. > > To fix this, we decided not to send packets in transmit_event(), > but fill a queue. At the end of dummynet() and dummynet_io(), > after the lock is dropped, if there is something in the queue > we run dummynet_send() to process the queue. > > In collaboration with: ru > > Revision Changes Path > 1.98 +115 -94 src/sys/netinet/ip_dummynet.c > The insufficient locking resulted in a "NULL-like" pointer dereference. Fault virtual address was 0x18: NULL + 8 (sizeof of a pointer on amd64) + 0x10 (structure offset). Thanks for providing the fix so quickly and for working over night! Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD438wqRfpzJluFF4RAufZAJ9BpFVb2FdT4tVWUDKUJm78CE3LDACbB1lu AnqsoeUl5ZWKDstXKNQFaf0= =S7Ic -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060203160504.GH10228>