kern/157209: [patch] locking error in rip6_input()
(sys/netinet6/raw_ip6.c)
Dmitrij Tejblum
tejblum at yandex-team.ru
Fri May 20 12:40:10 UTC 2011
>Number: 157209
>Category: kern
>Synopsis: [patch] locking error in rip6_input() (sys/netinet6/raw_ip6.c)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri May 20 12:40:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Dmitrij Tejblum
>Release: 8.2-STABLE
>Organization:
Yandex
>Environment:
>Description:
On a failure path in rip6_input(), the PCB is unlocked before the lock is taken.
>How-To-Repeat:
>Fix:
A possible quick patch is attached; anothe quick possibility would be to remove the unlock.
Patch attached with submission follows:
--- sys/netinet6/raw_ip6.c 2010-08-31 19:52:12.000000000 +0400
+++ sys/netinet6/raw_ip6.c 2011-05-14 00:27:24.000000000 +0400
@@ -193,20 +193,20 @@
if (!IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) &&
prison_check_ip6(in6p->inp_cred,
&ip6->ip6_dst) != 0)
continue;
}
+ INP_RLOCK(in6p);
if (in6p->in6p_cksum != -1) {
V_rip6stat.rip6s_isum++;
if (in6_cksum(m, proto, *offp,
m->m_pkthdr.len - *offp)) {
INP_RUNLOCK(in6p);
V_rip6stat.rip6s_badsum++;
continue;
}
}
- INP_RLOCK(in6p);
/*
* If this raw socket has multicast state, and we
* have received a multicast, check if this socket
* should receive it, as multicast filtering is now
* the responsibility of the transport layer.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list