[csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs]
gnn at freebsd.org
gnn at freebsd.org
Sat Sep 1 19:22:36 PDT 2007
At Wed, 29 Aug 2007 08:24:58 +0100,
Bruce M. Simpson wrote:
>
> BTW: Casual inspection with kscope suggests there is a similar
> free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and
> in_arpinput() (netinet/if_ether.c).
>
> nd6_ns_input() references rt-»rt_gateway after rtfree(), a potential
> race not to mention a use-after-free.
>
> I haven't checked Coverity for this, but it just doesn't look right.
At least in the ND6 case I think that the correct logic is:
==== //depot/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c#1 - /sources/p4/user/gnn/ipsec_seven/src/sys/netinet6/nd6_nbr.c ====
@@ -215,8 +215,6 @@
rt = rtalloc1((struct sockaddr *)&tsin6, 0, 0);
need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
rt->rt_gateway->sa_family == AF_LINK);
- if (rt)
- rtfree(rt);
if (need_proxy) {
/*
* proxy NDP for single entry
@@ -228,6 +226,9 @@
proxydl = SDL(rt->rt_gateway);
}
}
+ if (!need_proxy || ifa == NULL)
+ if (rt)
+ rtfree(rt);
}
if (ifa == NULL) {
/*
Thoughts?
Best,
George
More information about the freebsd-net
mailing list