From owner-cvs-all@FreeBSD.ORG Fri Feb 3 16:11:31 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE54916A420; Fri, 3 Feb 2006 16:11:31 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0101C43D45; Fri, 3 Feb 2006 16:11:30 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id k13GBS0m048624; Fri, 3 Feb 2006 18:11:28 +0200 (EET) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ip.net.ua [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 62964-01; Fri, 3 Feb 2006 18:11:00 +0200 (EET) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id k13G51Nx048445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Feb 2006 18:05:01 +0200 (EET) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.4/8.13.4) id k13G54Wl013083; Fri, 3 Feb 2006 18:05:04 +0200 (EET) (envelope-from ru) Date: Fri, 3 Feb 2006 18:05:04 +0200 From: Ruslan Ermilov To: Gleb Smirnoff Message-ID: <20060203160504.GH10228@ip.net.ua> References: <200602031138.k13BcK09081443@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mR8QP4gmHujQHb1c" Content-Disposition: inline In-Reply-To: <200602031138.k13BcK09081443@repoman.freebsd.org> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_dummynet.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2006 16:11:32 -0000 --mR8QP4gmHujQHb1c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 03, 2006 at 11:38:19AM +0000, Gleb Smirnoff wrote: > glebius 2006-02-03 11:38:19 UTC >=20 > FreeBSD src repository >=20 > Modified files: > sys/netinet ip_dummynet.c=20 > Log: > Dropping the lock in the transmit_event() is not safe, because we > store some pipe pointers on stack. If user reconfigures dummynet > in the interlock gap, we can work with freed pipes after relock. > =20 > To fix this, we decided not to send packets in transmit_event(), > but fill a queue. At the end of dummynet() and dummynet_io(), > after the lock is dropped, if there is something in the queue > we run dummynet_send() to process the queue. > =20 > In collaboration with: ru > =20 > Revision Changes Path > 1.98 +115 -94 src/sys/netinet/ip_dummynet.c >=20 The insufficient locking resulted in a "NULL-like" pointer dereference. Fault virtual address was 0x18: NULL + 8 (sizeof of a pointer on amd64) + 0x10 (structure offset). Thanks for providing the fix so quickly and for working over night! Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --mR8QP4gmHujQHb1c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFD438wqRfpzJluFF4RAufZAJ9BpFVb2FdT4tVWUDKUJm78CE3LDACbB1lu AnqsoeUl5ZWKDstXKNQFaf0= =S7Ic -----END PGP SIGNATURE----- --mR8QP4gmHujQHb1c--