From owner-freebsd-net@FreeBSD.ORG  Tue Jan  3 17:35:36 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BF76B106566B;
	Tue,  3 Jan 2012 17:35:36 +0000 (UTC) (envelope-from bz@freebsd.org)
Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25])
	by mx1.freebsd.org (Postfix) with ESMTP id 4FC108FC14;
	Tue,  3 Jan 2012 17:35:36 +0000 (UTC)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
	(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.sbone.de (Postfix) with ESMTPS id 496A225D3892;
	Tue,  3 Jan 2012 17:35:35 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
	[IPv6:fde9:577b:c1a9:31::2013:2742])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id 7C7DDBD8664;
	Tue,  3 Jan 2012 17:35:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
	by content-filter.sbone.de (content-filter.sbone.de
	[fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
	with ESMTP id ziakJtyvM7bK; Tue,  3 Jan 2012 17:35:33 +0000 (UTC)
Received: from orange-en1.sbone.de (orange-en1.sbone.de
	[IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id 32DE0BD8662;
	Tue,  3 Jan 2012 17:35:33 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: "Bjoern A. Zeeb" <bz@freebsd.org>
In-Reply-To: <201112231508.52861.jhb@freebsd.org>
Date: Tue, 3 Jan 2012 17:35:30 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <F6ADC1D1-6C6B-4F62-A38C-853CBF127A83@freebsd.org>
References: <201112231508.52861.jhb@freebsd.org>
To: John Baldwin <jhb@freebsd.org>
X-Mailer: Apple Mail (2.1084)
Cc: net@freebsd.org
Subject: Re: [PATCH] Use of unreferenced ifa in in6
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2012 17:35:36 -0000


On 23. Dec 2011, at 20:08 , John Baldwin wrote:

> The code to handle the SIOCGLIFADDR and SIOCDLIFADDR ioctls in=20
> in6_lifaddr_ioctl() does not grab a reference to an ifnet address =
structure=20
> that it uses after dropping the IF_ADDR_LOCK().  Based on other code =
that uses=20
> a similar pattern of finding an ifa while under the lock and then =
using it=20
> after dropping the lock, I believe it should be acquiring a reference =
on the=20
> ifa and then dropping that reference when it is done using the ifa.  =
This=20
> (untested) patch should fix this I believe:

I almost assume it's been tested by now.  =46rom reading it looks right.

/bz

> Index: in6.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- in6.c	(revision 228777)
> +++ in6.c	(working copy)
> @@ -1767,6 +1767,8 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, =
c
> 			if (IN6_ARE_ADDR_EQUAL(&candidate, &match))
> 				break;
> 		}
> +		if (ifa !=3D NULL)
> +			ifa_ref(ifa);
> 		IF_ADDR_UNLOCK(ifp);
> 		if (!ifa)
> 			return EADDRNOTAVAIL;
> @@ -1779,16 +1781,20 @@ in6_lifaddr_ioctl(struct socket *so, u_long =
cmd, c
> 			bcopy(&ia->ia_addr, &iflr->addr, =
ia->ia_addr.sin6_len);
> 			error =3D sa6_recoverscope(
> 			    (struct sockaddr_in6 *)&iflr->addr);
> -			if (error !=3D 0)
> +			if (error !=3D 0) {
> +				ifa_free(ifa);
> 				return (error);
> +			}
>=20
> 			if ((ifp->if_flags & IFF_POINTOPOINT) !=3D 0) {
> 				bcopy(&ia->ia_dstaddr, &iflr->dstaddr,
> 				    ia->ia_dstaddr.sin6_len);
> 				error =3D sa6_recoverscope(
> 				    (struct sockaddr_in6 =
*)&iflr->dstaddr);
> -				if (error !=3D 0)
> +				if (error !=3D 0) {
> +					ifa_free(ifa);
> 					return (error);
> +				}
> 			} else
> 				bzero(&iflr->dstaddr, =
sizeof(iflr->dstaddr));
>=20
> @@ -1796,6 +1802,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, =
c
> 			    in6_mask2len(&ia->ia_prefixmask.sin6_addr, =
NULL);
>=20
> 			iflr->flags =3D ia->ia6_flags;	/* XXX */
> +			ifa_free(ifa);
>=20
> 			return 0;
> 		} else {
> @@ -1819,6 +1826,7 @@ in6_lifaddr_ioctl(struct socket *so, u_long cmd, =
c
> 			    ia->ia_prefixmask.sin6_len);
>=20
> 			ifra.ifra_flags =3D ia->ia6_flags;
> +			ifa_free(ifa);
> 			return in6_control(so, SIOCDIFADDR_IN6, =
(caddr_t)&ifra,
> 			    ifp, td);
> 		}
>=20
>=20
> --=20
> John Baldwin

--=20
Bjoern A. Zeeb                                 You have to have visions!
   It does not matter how good you are. It matters what good you do!