From owner-freebsd-net  Sat Jul  7 12: 1:36 2001
Delivered-To: freebsd-net@freebsd.org
Received: from h132-197-97-45.gte.com (h132-197-97-45.gte.com [132.197.97.45])
	by hub.freebsd.org (Postfix) with ESMTP
	id 90F6037B406; Sat,  7 Jul 2001 12:01:30 -0700 (PDT)
	(envelope-from ak03@gte.com)
Received: (from ak03@localhost)
	by h132-197-97-45.gte.com (8.11.4/8.11.4) id f67J1Ta01045;
	Sat, 7 Jul 2001 15:01:29 -0400 (EDT)
	(envelope-from ak03)
Date: Sat, 7 Jul 2001 15:01:29 -0400
From: "Alexander N. Kabaev" <ak03@gte.com>
To: freebsd-current@FreeBSD.org
Cc: freebsd-net@FreeBSD.org
Subject: This can't be right (bug in ip6_output.c)
Message-ID: <20010707150129.A910@kanpc.gte.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.19i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

The following code in netinet6/ip6_output.c:1673 just cannot be right:


			case IPV6_FW_GET:
			  {
				struct mbuf *m;
				struct mbuf **mp = &m;

				if (ip6_fw_ctl_ptr == NULL)
			        {
					if (m)
						(void)m_free(m);
					return EINVAL;
				}
				error = (*ip6_fw_ctl_ptr)(optname, mp);
				if (error == 0)
					error = soopt_mcopyout(sopt, m); /* XXX */
				if (error == 0 && m)
					m_freem(m);
			  }
				break;

The m_free call in the ip6_fw_ctl_ptr == NULL case apparently tries to free
uninitialized mbuf.

--
Alexander Kabaev
P.S. Below is the patch to remove bogus m_free call:


Index: ip6_output.c
===================================================================
RCS file: /usr/ncvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.28
diff -u -r1.28 ip6_output.c
--- ip6_output.c	2001/06/24 20:25:38	1.28
+++ ip6_output.c	2001/07/07 18:57:51
@@ -1668,11 +1668,7 @@
 				struct mbuf **mp = &m;
 
 				if (ip6_fw_ctl_ptr == NULL)
-			        {
-					if (m)
-						(void)m_free(m);
 					return EINVAL;
-				}
 				error = (*ip6_fw_ctl_ptr)(optname, mp);
 				if (error == 0)
 					error = soopt_mcopyout(sopt, m); /* XXX */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message