Date: Wed, 13 Oct 2010 19:51:51 GMT From: Andrew Boyer <aboyer@averesystems.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/151435: Reference leak in ip_dooptions() Message-ID: <201010131951.o9DJpp4p045647@www.freebsd.org> Resent-Message-ID: <201010132000.o9DK0J5J056418@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 151435
>Category: kern
>Synopsis: Reference leak in ip_dooptions()
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 13 20:00:18 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Andrew Boyer
>Release: head
>Organization:
Avere Systems
>Environment:
N/A
>Description:
SVN 194760 changed ifa_ifwithaddr() so that it returns a reference along with the ifa. ifa_ifwithaddr_check() was added to simplify things for callers who didn't want to deal with a reference.
On line 344 of sys/netinet/ip_options.c, there's a call to ifa_ifwithaddr() that does not store a return value. It looks like it should have been converted to ifa_ifwithaddr_check().
This is only an issue if packets with IPOPT_TS_PRESPEC set are received, so it's not likely been a problem for anyone.
>How-To-Repeat:
Unknown - found by code review.
>Fix:
--- sys/netinet/ip_options.c
+++ sys/netinet/ip_options.c
@@ -341,7 +341,7 @@ dropit:
}
(void)memcpy(&ipaddr.sin_addr, sin,
sizeof(struct in_addr));
- if (ifa_ifwithaddr((SA)&ipaddr) == NULL)
+ if (ifa_ifwithaddr_check((SA)&ipaddr) == 0)
continue;
cp[IPOPT_OFFSET] += sizeof(struct in_addr);
off += sizeof(struct in_addr);
>Release-Note:
>Audit-Trail:
>Unformatted:
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010131951.o9DJpp4p045647>