kern/182851: thread-unsafe handled routing tables

Slawa Olhovchenkov slw at
Wed Oct 9 07:00:00 UTC 2013

>Number:         182851
>Category:       kern
>Synopsis:       thread-unsafe handled routing tables
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 09 07:00:00 UTC 2013
>Originator:     Slawa Olhovchenkov
>Release:        9.2, 10.0
sys/net/radix.c contains

 * Work area -- the following point to 3 buffers of size max_keylen,
 * allocated in this order in a block of memory malloc'ed by rn_init.
 * rn_zeros, rn_ones are set in rn_init and used in readonly afterwards.
 * addmask_key is used in rn_addmask in rw mode and not thread-safe.
static char *rn_zeros, *rn_ones, *addmask_key;

addmask_key used by rn_addmask (called from rn_lookup, rn_addroute and rn_delete).
In all cases rn_addmask used in RW mode w/o proper locking.

addmask_key is absolutly globaly used -- for IPv4, IPv6 and other at once.

As result -- incorrect routing lookup, routing update and so.
(for example: kernel: rn_addmask: mask impossibly already in tree)

Delete global addmask_key.
Use local (on stack in rn_addmask) buffer.


More information about the freebsd-bugs mailing list