ip_fastforward() sanity check..

Andre Oppermann andre at freebsd.org
Sat Nov 6 02:49:19 PST 2004


James wrote:
> 
> I seem to have a little concern in one specific early-sanity check in the
> ip_fastforward() function of the latest 5.3 code base:
> 
>         /*
>          * Is first mbuf large enough for ip header and is header present?
>          */
>         if (m->m_len < sizeof (struct ip) &&
>            (m = m_pullup(m, sizeof (struct ip))) == 0) {
>                 ipstat.ips_toosmall++;
>                 goto drop;
>         }
> 
> Okay, if m_pullup() returns 0 due to failure, it already called m_freem(m) by
> itself. But we have "goto drop;" after that, which is redundant, no?
> 
> I don't think this is a bit of issue in IPv4 implementation, but as obviously,
> in IPv6 implementation, if calling 'goto drop' or redundant m_freem(m) in case
> where m_pullup returns NULL/0, it may crash the kernel rock hard at
> m_tag_delete_chain in uipc_mbuf.c (even if you are checking 'if (m) m_freem(m)'
> as remains are left over)
> 
> If any one has any comments, please let me know. If this is not a concern
> please disregard my rant and excuse me for waste of time :)

This is indeed a bug.  Fixed in ip_fastfwd.c rev 1.24 a couple of minutes
ago.  Thanks for reporting.

-- 
Andre


More information about the freebsd-net mailing list