Date: Tue, 03 Sep 2019 14:07:26 -0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346118 - in head/sys: netinet netinet6 Message-ID: <201904110801.x3B810P1013695@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Thu Apr 11 08:00:59 2019 New Revision: 346118 URL: https://svnweb.freebsd.org/changeset/base/346118 Log: Reinitialize multicast source filter structures after invalidation. When leaving a multicast group, a hole may be created in the inpcb's source filter and group membership arrays. To remove the hole, the succeeding array elements are copied over by one entry. The multicast code expects that a newly allocated array element is initialized, but the code which shifts a tail of the array was leaving stale data in the final entry. Fix this by explicitly reinitializing the last entry following such a copy. Reported by: syzbot+f8c3c564ee21d650475e@syzkaller.appspotmail.com Reviewed by: ae MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19872 Modified: head/sys/netinet/in_mcast.c head/sys/netinet6/in6_mcast.c Modified: head/sys/netinet/in_mcast.c ============================================================================== --- head/sys/netinet/in_mcast.c Thu Apr 11 05:11:02 2019 (r346117) +++ head/sys/netinet/in_mcast.c Thu Apr 11 08:00:59 2019 (r346118) @@ -2556,10 +2556,14 @@ out_in_multi_locked: if (is_final) { /* Remove the gap in the membership and filter array. */ + KASSERT(RB_EMPTY(&imf->imf_sources), + ("%s: imf_sources not empty", __func__)); for (++idx; idx < imo->imo_num_memberships; ++idx) { - imo->imo_membership[idx-1] = imo->imo_membership[idx]; - imo->imo_mfilters[idx-1] = imo->imo_mfilters[idx]; + imo->imo_membership[idx - 1] = imo->imo_membership[idx]; + imo->imo_mfilters[idx - 1] = imo->imo_mfilters[idx]; } + imf_init(&imo->imo_mfilters[idx - 1], MCAST_UNDEFINED, + MCAST_EXCLUDE); imo->imo_num_memberships--; } Modified: head/sys/netinet6/in6_mcast.c ============================================================================== --- head/sys/netinet6/in6_mcast.c Thu Apr 11 05:11:02 2019 (r346117) +++ head/sys/netinet6/in6_mcast.c Thu Apr 11 08:00:59 2019 (r346118) @@ -2470,10 +2470,14 @@ in6p_leave_group(struct inpcb *inp, struct sockopt *so if (is_final) { /* Remove the gap in the membership array. */ + KASSERT(RB_EMPTY(&imf->im6f_sources), + ("%s: im6f_sources not empty", __func__)); for (++idx; idx < imo->im6o_num_memberships; ++idx) { - imo->im6o_membership[idx-1] = imo->im6o_membership[idx]; - imo->im6o_mfilters[idx-1] = imo->im6o_mfilters[idx]; + imo->im6o_membership[idx - 1] = imo->im6o_membership[idx]; + imo->im6o_mfilters[idx - 1] = imo->im6o_mfilters[idx]; } + im6f_init(&imo->im6o_mfilters[idx - 1], MCAST_UNDEFINED, + MCAST_EXCLUDE); imo->im6o_num_memberships--; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904110801.x3B810P1013695>