From owner-cvs-src@FreeBSD.ORG  Thu Oct 16 11:35:13 2003
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3228116A4B3
	for <cvs-src@FreeBSD.org>; Thu, 16 Oct 2003 11:35:13 -0700 (PDT)
Received: from mail.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 90C7743FD7
	for <cvs-src@FreeBSD.org>; Thu, 16 Oct 2003 11:35:10 -0700 (PDT)
	(envelope-from jhb@FreeBSD.org)
Received: (qmail 13314 invoked from network); 16 Oct 2003 18:30:20 -0000
Received: from unknown (HELO server.baldwin.cx) ([216.27.160.63])
	(envelope-sender <jhb@FreeBSD.org>)encrypted SMTP
	for <src-committers@FreeBSD.org>; 16 Oct 2003 18:30:20 -0000
Received: from laptop.baldwin.cx (gw1.twc.weather.com [216.133.140.1])
	by server.baldwin.cx (8.12.9/8.12.9) with ESMTP id h9GIUGce060313;
	Thu, 16 Oct 2003 14:30:17 -0400 (EDT)
	(envelope-from jhb@FreeBSD.org)
Message-ID: <XFMail.20031016143026.jhb@FreeBSD.org>
X-Mailer: XFMail 1.5.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <200310160200.h9G20CZu030138@repoman.freebsd.org>
Date: Thu, 16 Oct 2003 14:30:26 -0400 (EDT)
From: John Baldwin <jhb@FreeBSD.org>
To: Kirk McKusick <mckusick@FreeBSD.org>
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: RE: cvs commit: src/sys/netinet ip_fw2.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2003 18:35:13 -0000


On 16-Oct-2003 Kirk McKusick wrote:
> mckusick    2003/10/15 19:00:12 PDT
> 
>   FreeBSD src repository
> 
>   Modified files:
>     sys/netinet          ip_fw2.c 
>   Log:
>   Malloc buckets of size 128 have been having their 64-byte offset
>   trashed after being freed. This has caused several panics including
>   kern/42277 related to soft updates. Jim Kuhn tracked the problem
>   down to ipfw limit rule processing.  In the expiry of dynamic rules,
>   it is possible for an O_LIMIT_PARENT rule to be removed when it still
>   has live children.  When the children eventually do expire, a pointer
>   to the (long gone) parent is dereferenced and a count decremented.
>   Since this memory can, and is, allocated for other purposes (in the
>   case of kern/42277 an inodedep structure), chaos ensues. The offset
>   in question in inodedep is the offset of the 16 bit count field in
>   the ipfw2 ipfw_dyn_rule.
>   
>   Submitted by:   Jim Kuhn <jkuhn@sandvine.com>
>   Reviewed by:    "Evgueni V. Gavrilov" <aquatique@rusunix.org>
>   Reviewed by:    Ben Pfountz <netprince@vt.edu>
>   MFC after:      1 week

Wow, impressive find!

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/