Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Sep 2019 14:07:26 -0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346118 - in head/sys: netinet netinet6
Message-ID:  <201904110801.x3B810P1013695@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: markj
Date: Thu Apr 11 08:00:59 2019
New Revision: 346118
URL: https://svnweb.freebsd.org/changeset/base/346118

Log:
  Reinitialize multicast source filter structures after invalidation.
  
  When leaving a multicast group, a hole may be created in the inpcb's
  source filter and group membership arrays.  To remove the hole, the
  succeeding array elements are copied over by one entry.  The multicast
  code expects that a newly allocated array element is initialized, but
  the code which shifts a tail of the array was leaving stale data
  in the final entry.  Fix this by explicitly reinitializing the last
  entry following such a copy.
  
  Reported by:	syzbot+f8c3c564ee21d650475e@syzkaller.appspotmail.com
  Reviewed by:	ae
  MFC after:	2 weeks
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D19872

Modified:
  head/sys/netinet/in_mcast.c
  head/sys/netinet6/in6_mcast.c

Modified: head/sys/netinet/in_mcast.c
==============================================================================
--- head/sys/netinet/in_mcast.c	Thu Apr 11 05:11:02 2019	(r346117)
+++ head/sys/netinet/in_mcast.c	Thu Apr 11 08:00:59 2019	(r346118)
@@ -2556,10 +2556,14 @@ out_in_multi_locked:
 
 	if (is_final) {
 		/* Remove the gap in the membership and filter array. */
+		KASSERT(RB_EMPTY(&imf->imf_sources),
+		    ("%s: imf_sources not empty", __func__));
 		for (++idx; idx < imo->imo_num_memberships; ++idx) {
-			imo->imo_membership[idx-1] = imo->imo_membership[idx];
-			imo->imo_mfilters[idx-1] = imo->imo_mfilters[idx];
+			imo->imo_membership[idx - 1] = imo->imo_membership[idx];
+			imo->imo_mfilters[idx - 1] = imo->imo_mfilters[idx];
 		}
+		imf_init(&imo->imo_mfilters[idx - 1], MCAST_UNDEFINED,
+		    MCAST_EXCLUDE);
 		imo->imo_num_memberships--;
 	}
 

Modified: head/sys/netinet6/in6_mcast.c
==============================================================================
--- head/sys/netinet6/in6_mcast.c	Thu Apr 11 05:11:02 2019	(r346117)
+++ head/sys/netinet6/in6_mcast.c	Thu Apr 11 08:00:59 2019	(r346118)
@@ -2470,10 +2470,14 @@ in6p_leave_group(struct inpcb *inp, struct sockopt *so
 
 	if (is_final) {
 		/* Remove the gap in the membership array. */
+		KASSERT(RB_EMPTY(&imf->im6f_sources),
+		    ("%s: im6f_sources not empty", __func__));
 		for (++idx; idx < imo->im6o_num_memberships; ++idx) {
-			imo->im6o_membership[idx-1] = imo->im6o_membership[idx];
-			imo->im6o_mfilters[idx-1] = imo->im6o_mfilters[idx];
+			imo->im6o_membership[idx - 1] = imo->im6o_membership[idx];
+			imo->im6o_mfilters[idx - 1] = imo->im6o_mfilters[idx];
 		}
+		im6f_init(&imo->im6o_mfilters[idx - 1], MCAST_UNDEFINED,
+		    MCAST_EXCLUDE);
 		imo->im6o_num_memberships--;
 	}
 





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904110801.x3B810P1013695>