From owner-freebsd-net@FreeBSD.ORG Fri Dec 23 20:08:54 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BADD1106566B; Fri, 23 Dec 2011 20:08:54 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 928318FC0C; Fri, 23 Dec 2011 20:08:54 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [96.47.65.170]) by cyrus.watson.org (Postfix) with ESMTPSA id 24AD346B3F; Fri, 23 Dec 2011 15:08:54 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id AA1D2B93F; Fri, 23 Dec 2011 15:08:53 -0500 (EST) From: John Baldwin To: net@freebsd.org Date: Fri, 23 Dec 2011 15:08:52 -0500 User-Agent: KMail/1.13.5 (FreeBSD/8.2-CBSD-20110714-p8; KDE/4.5.5; amd64; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201112231508.52861.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Fri, 23 Dec 2011 15:08:53 -0500 (EST) Cc: Bjoern Zeeb Subject: [PATCH] Use of unreferenced ifa in in6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 20:08:54 -0000 The code to handle the SIOCGLIFADDR and SIOCDLIFADDR ioctls in in6_lifaddr_ioctl() does not grab a reference to an ifnet address structure that it uses after dropping the IF_ADDR_LOCK(). Based on other code that uses a similar pattern of finding an ifa while under the lock and then using it after dropping the lock, I believe it should be acquiring a reference on the ifa and then dropping that reference when it is done using the ifa. This (untested) patch should fix this I believe: Index: in6.c =================================================================== --- in6.c (revision 228777) +++ in6.c (working copy) @@ -1767,6 +1767,8 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c if (IN6_ARE_ADDR_EQUAL(&candidate, &match)) break; } + if (ifa != NULL) + ifa_ref(ifa); IF_ADDR_UNLOCK(ifp); if (!ifa) return EADDRNOTAVAIL; @@ -1779,16 +1781,20 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c bcopy(&ia->ia_addr, &iflr->addr, ia->ia_addr.sin6_len); error = sa6_recoverscope( (struct sockaddr_in6 *)&iflr->addr); - if (error != 0) + if (error != 0) { + ifa_free(ifa); return (error); + } if ((ifp->if_flags & IFF_POINTOPOINT) != 0) { bcopy(&ia->ia_dstaddr, &iflr->dstaddr, ia->ia_dstaddr.sin6_len); error = sa6_recoverscope( (struct sockaddr_in6 *)&iflr->dstaddr); - if (error != 0) + if (error != 0) { + ifa_free(ifa); return (error); + } } else bzero(&iflr->dstaddr, sizeof(iflr->dstaddr)); @@ -1796,6 +1802,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); iflr->flags = ia->ia6_flags; /* XXX */ + ifa_free(ifa); return 0; } else { @@ -1819,6 +1826,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, c ia->ia_prefixmask.sin6_len); ifra.ifra_flags = ia->ia6_flags; + ifa_free(ifa); return in6_control(so, SIOCDIFADDR_IN6, (caddr_t)&ifra, ifp, td); } -- John Baldwin