From owner-freebsd-security Mon Dec 4 14:51:17 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 4 14:51:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9]) by hub.freebsd.org (Postfix) with ESMTP id 24D2137B400 for ; Mon, 4 Dec 2000 14:51:14 -0800 (PST) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.11.0/8.11.0) id eB4Mmth64540; Mon, 4 Dec 2000 16:48:55 -0600 (CST) (envelope-from jlemon) Date: Mon, 4 Dec 2000 16:48:55 -0600 From: Jonathan Lemon To: freebsd-security@freebsd.org, mouss Subject: Re: ipfw/dummy: memory leak or what? Message-ID: <20001204164855.I56974@prism.flugsvamp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In , John Baldwin wrote: > > if (m->m_type == MT_DUMMYNET) { > rule = (struct ip_fw_chain *)(m->m_data) ; > m = m->m_next ; > ip = mtod(m, struct ip *); > hlen = IP_VHL_HL(ip->ip_vhl) << 2; > goto iphack ; > } else This isn't (theoretically) a leak. Dummynet works by prepending a private data structure onto the mbuf chain; this structure is not an mbuf, and should not be passed to m_freem(). Instead, look at the following fragment of code within ip_dummynet.c:transmit_event(), which takes care of freeing the data structure: switch (pkt->dn_dir) { case DN_TO_IP_IN : ip_input((struct mbuf *)pkt) ; break ; } FREE(pkt, M_IPFW); Although this is quite non-obvious, from my point of view. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message