kern/151435: Reference leak in ip_dooptions()
Andrew Boyer
aboyer at averesystems.com
Wed Oct 13 20:00:19 UTC 2010
>Number: 151435
>Category: kern
>Synopsis: Reference leak in ip_dooptions()
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 13 20:00:18 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Andrew Boyer
>Release: head
>Organization:
Avere Systems
>Environment:
N/A
>Description:
SVN 194760 changed ifa_ifwithaddr() so that it returns a reference along with the ifa. ifa_ifwithaddr_check() was added to simplify things for callers who didn't want to deal with a reference.
On line 344 of sys/netinet/ip_options.c, there's a call to ifa_ifwithaddr() that does not store a return value. It looks like it should have been converted to ifa_ifwithaddr_check().
This is only an issue if packets with IPOPT_TS_PRESPEC set are received, so it's not likely been a problem for anyone.
>How-To-Repeat:
Unknown - found by code review.
>Fix:
--- sys/netinet/ip_options.c
+++ sys/netinet/ip_options.c
@@ -341,7 +341,7 @@ dropit:
}
(void)memcpy(&ipaddr.sin_addr, sin,
sizeof(struct in_addr));
- if (ifa_ifwithaddr((SA)&ipaddr) == NULL)
+ if (ifa_ifwithaddr_check((SA)&ipaddr) == 0)
continue;
cp[IPOPT_OFFSET] += sizeof(struct in_addr);
off += sizeof(struct in_addr);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list