From owner-cvs-all@FreeBSD.ORG  Thu Nov 27 11:09:56 2003
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A2C3216A4CE; Thu, 27 Nov 2003 11:09:56 -0800 (PST)
Received: from ebb.errno.com (ebb.errno.com [66.127.85.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3C78C43FDF; Thu, 27 Nov 2003 11:09:55 -0800 (PST)
	(envelope-from sam@errno.com)
Received: from 66.127.85.91 ([66.127.85.91])
	(authenticated bits=0)
	by ebb.errno.com (8.12.9/8.12.9) with ESMTP id hARJ9rHQ078816
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
	Thu, 27 Nov 2003 11:09:54 -0800 (PST)
	(envelope-from sam@errno.com)
From: Sam Leffler <sam@errno.com>
Organization: Errno Consulting
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
Date: Thu, 27 Nov 2003 11:12:34 -0800
User-Agent: KMail/1.5.3
References: <200311270940.hAR9eEIx089417@repoman.freebsd.org>
In-Reply-To: <200311270940.hAR9eEIx089417@repoman.freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200311271112.34831.sam@errno.com>
Subject: Re: cvs commit: src/sys/netinet ip_fw2.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2003 19:09:56 -0000

On Thursday 27 November 2003 01:40 am, Andre Oppermann wrote:
> andre       2003/11/27 01:40:14 PST
>
>   FreeBSD src repository
>
>   Modified files:
>     sys/netinet          ip_fw2.c
>   Log:
>   Fix verify_rev_path() function.  The author of this function tried to
>   cut corners which completely broke down when the routing table locking
>   was introduced.

The locking actually was unrelated to the problem.  The problem was that the 
code held a reference to a routing table entry w/o bumping the reference 
count.  The bug was identified because RTFREE (via RTFREE_LOCKED) zero's the 
argument after freeing the reference to safeguard "use after free" bugs.  
This however zero'd the pointer that was being held in static memory as a 
cache and broke the logic of the code.  This in turn broke the expected 
behaviour and caused someone to notice something was wrong.  The existing 
code was a potential landmine because there was no guarantee the held 
reference was valid.  I note that this same problem exists in -stable...

	Sam