kern/182851: thread-unsafe handled routing tables
Slawa Olhovchenkov
slw at zxy.spb.ru
Wed Oct 9 07:00:00 UTC 2013
>Number: 182851
>Category: kern
>Synopsis: thread-unsafe handled routing tables
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 09 07:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Slawa Olhovchenkov
>Release: 9.2, 10.0
>Organization:
>Environment:
>Description:
sys/net/radix.c contains
/*
* Work area -- the following point to 3 buffers of size max_keylen,
* allocated in this order in a block of memory malloc'ed by rn_init.
* rn_zeros, rn_ones are set in rn_init and used in readonly afterwards.
* addmask_key is used in rn_addmask in rw mode and not thread-safe.
*/
static char *rn_zeros, *rn_ones, *addmask_key;
addmask_key used by rn_addmask (called from rn_lookup, rn_addroute and rn_delete).
In all cases rn_addmask used in RW mode w/o proper locking.
addmask_key is absolutly globaly used -- for IPv4, IPv6 and other at once.
As result -- incorrect routing lookup, routing update and so.
(for example: kernel: rn_addmask: mask impossibly already in tree)
>How-To-Repeat:
>Fix:
Delete global addmask_key.
Use local (on stack in rn_addmask) buffer.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list