Date: Tue, 03 Sep 2019 14:07:38 -0000 From: Enji Cooper <yaneurabeya@gmail.com> To: Hans Petter Selasky <hselasky@FreeBSD.org> Cc: src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head@freebsd.org Subject: Re: svn commit: r346530 - in head/sys: netinet netinet6 Message-ID: <2F3D6B17-AF4F-4B0F-B20E-5EF41DE851F9@gmail.com> In-Reply-To: <201904220727.x3M7ROpR009729@repo.freebsd.org> References: <201904220727.x3M7ROpR009729@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky = <hselasky@FreeBSD.org> wrote: >=20 > Author: hselasky > Date: Mon Apr 22 07:27:24 2019 > New Revision: 346530 > URL: https://svnweb.freebsd.org/changeset/base/346530 >=20 > Log: > Fix panic in network stack due to memory use after free in relation = to > fragmented packets. >=20 > When sending IPv4 and IPv6 fragmented packets and a fragment is lost, > the mbuf making up the fragment will remain in the temporary hashed > fragment list for a while. If the network interface departs before = the > so-called slow timeout clears the packet, the fragment causes a panic > when the timeout kicks in due to accessing a freed network interface > structure. >=20 > Make sure that when a network device is departing, all hashed IPv4 = and > IPv6 fragments belonging to it, get freed. >=20 > Backtrace: > panic() > icmp6_reflect() >=20 > hlim =3D ND_IFINFO(m->m_pkthdr.rcvif)->chlim; > ^^^^ rcvif->if_afdata[AF_INET6] is NULL. >=20 > icmp6_error() > frag6_freef() > frag6_slowtimo() > pfslowtimo() > softclock_call_cc() > softclock() > ithread_loop() >=20 > Differential Revision: https://reviews.freebsd.org/D19622 > Reviewed by: bz (network), adrian > MFC after: 1 week > Sponsored by: Mellanox Technologies This commit broke the build on mips, etc: 07:36:06=20 --- ip_reass.o --- 07:36:06=20 /usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' = token 07:36:06 *** [ip_reass.o] Error code 1 EVENTHANDLER_DEFINE looks like it doesn=E2=80=99t work with gcc? Thanks, -Enji=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F3D6B17-AF4F-4B0F-B20E-5EF41DE851F9>