Date: Fri, 3 Feb 2006 18:05:04 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: Gleb Smirnoff <glebius@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_dummynet.c Message-ID: <20060203160504.GH10228@ip.net.ua> In-Reply-To: <200602031138.k13BcK09081443@repoman.freebsd.org> References: <200602031138.k13BcK09081443@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--mR8QP4gmHujQHb1c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 03, 2006 at 11:38:19AM +0000, Gleb Smirnoff wrote: > glebius 2006-02-03 11:38:19 UTC >=20 > FreeBSD src repository >=20 > Modified files: > sys/netinet ip_dummynet.c=20 > Log: > Dropping the lock in the transmit_event() is not safe, because we > store some pipe pointers on stack. If user reconfigures dummynet > in the interlock gap, we can work with freed pipes after relock. > =20 > To fix this, we decided not to send packets in transmit_event(), > but fill a queue. At the end of dummynet() and dummynet_io(), > after the lock is dropped, if there is something in the queue > we run dummynet_send() to process the queue. > =20 > In collaboration with: ru > =20 > Revision Changes Path > 1.98 +115 -94 src/sys/netinet/ip_dummynet.c >=20 The insufficient locking resulted in a "NULL-like" pointer dereference. Fault virtual address was 0x18: NULL + 8 (sizeof of a pointer on amd64) + 0x10 (structure offset). Thanks for providing the fix so quickly and for working over night! Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --mR8QP4gmHujQHb1c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD438wqRfpzJluFF4RAufZAJ9BpFVb2FdT4tVWUDKUJm78CE3LDACbB1lu AnqsoeUl5ZWKDstXKNQFaf0= =S7Ic -----END PGP SIGNATURE----- --mR8QP4gmHujQHb1c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060203160504.GH10228>