Date: Tue, 20 Oct 2009 21:36:57 +0000 (UTC) From: Qing Li <qingli@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r198308 - in stable/8/sys: . amd64/include/xen cddl/contrib/opensolaris contrib/dev/acpica contrib/pf dev/xen/xenpci netinet Message-ID: <200910202136.n9KLavvx079249@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: qingli Date: Tue Oct 20 21:36:56 2009 New Revision: 198308 URL: http://svn.freebsd.org/changeset/base/198308 Log: MFC 198301 In the ARP callout timer expiration function, the current time_second is compared against the entry expiration time value (that was set based on time_second) to check if the current time is larger than the set expiration time. Due to the +/- timer granularity value, the comparison returns false, causing the alternative code to be executed. The alternative code path freed the memory without removing that entry from the table list, causing a use-after-free bug. Reviewed by: discussed with kmacy Approved by: re Verified by: rnoland, yongari Modified: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) stable/8/sys/dev/xen/xenpci/ (props changed) stable/8/sys/netinet/if_ether.c Modified: stable/8/sys/netinet/if_ether.c ============================================================================== --- stable/8/sys/netinet/if_ether.c Tue Oct 20 21:29:46 2009 (r198307) +++ stable/8/sys/netinet/if_ether.c Tue Oct 20 21:36:56 2009 (r198308) @@ -168,17 +168,17 @@ arptimer(void *arg) ifp = lle->lle_tbl->llt_ifp; IF_AFDATA_LOCK(ifp); LLE_WLOCK(lle); - if (((lle->la_flags & LLE_DELETED) - || (time_second >= lle->la_expire)) - && (!callout_pending(&lle->la_timer) && - callout_active(&lle->la_timer))) + if ((!callout_pending(&lle->la_timer) && + callout_active(&lle->la_timer))) { (void) llentry_free(lle); + } +#ifdef DIAGNOSTICS else { - /* - * Still valid, just drop our reference - */ - LLE_FREE_LOCKED(lle); + struct sockaddr *l3addr = L3_ADDR(lle); + log(LOG_INFO, "arptimer issue: %p, IPv4 address: \"%s\"\n", lle, + inet_ntoa(((const struct sockaddr_in *)l3addr)->sin_addr)); } +#endif IF_AFDATA_UNLOCK(ifp); } @@ -365,7 +365,7 @@ retry: if (renew) { LLE_ADDREF(la); - la->la_expire = time_second; + la->la_expire = time_second + V_arpt_down; callout_reset(&la->la_timer, hz * V_arpt_down, arptimer, la); la->la_asked++; LLE_WUNLOCK(la);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910202136.n9KLavvx079249>