ng_bridge(4) has an easily exploitable memory leak
Ruslan Ermilov
ru at freebsd.org
Thu Apr 8 12:44:24 PDT 2004
On Thu, Apr 08, 2004 at 11:42:21AM -0700, Julian Elischer wrote:
> looks good but:
>
> + if (destLink == firstLink) {
> + /*
> + * If we've sent all the others, send the
> original
> + * on the first link we found.
> + */
> + NG_SEND_DATA(error, destLink->hook, m, meta);
> + break; /* always done last - not really
> needed. */
> + } else {
> + NG_SEND_DATA(error, destLink->hook, m2, meta2);
> + }
>
>
> couldn't this be avoided by previously doing:
>
>
> + if (linkNum == priv->numLinks) {
> + /* If we never saw a good link, leave. */
> + if (firstLink == NULL) {
> + NG_FREE_DATA(m, meta);
> + return (0);
> + }
> + destLink = firstLink;
> ---> m2 = m;
> ---> meta2 = meta;
> ---> m=NULL;
> ---> meta=NULL;
> + }
>
>
> I leave it up to you to decide which you prefer, (but remember that
> NG_SEND_DATA is a macro and expads somewhat.
>
> specifically, to (sorry about linewrap):
> #define NG_SEND_DATA(error, hook, m, meta) \
> do {\
> item_p _item; \
> if ((_item = ng_package_data((m), (meta)))) {\
> NG_FWD_ITEM_HOOK(error, _item, hook); \
> } else { \
> (error) = ENOMEM; \
> }\
> (m) = NULL; \
> (meta) = NULL; \
> } while (0)
>
> where NG_FWD_ITEM_HOOK
> itself expands to:
> #define NG_FWD_ITEM_HOOK(error, item, hook) \
> do { \
> (error) = \
> ng_address_hook(NULL, (item), (hook), 0); \
> if (error == 0) { \
> SAVE_LINE(item); \
> (error) = ng_snd_item((item), 0); \
> } \
> (item) = NULL; \
> } while (0)
>
> so only having one of those saves a bit of code.
>
Your proposal of course looks good, but remember I was only doing a
porting of _your_ code for MFC, per your request. My whole purpose
of this posting was to go ask you to please MFC your fix which you
mixed with the SMP-related work on Netgraph in rev. 1.8. ;)
Cheers,
--
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040408/d495677f/attachment.bin
More information about the freebsd-stable
mailing list