ng_bridge(4) has an easily exploitable memory leak

Ruslan Ermilov ru at freebsd.org
Thu Apr 8 12:44:24 PDT 2004


On Thu, Apr 08, 2004 at 11:42:21AM -0700, Julian Elischer wrote:
> looks good but:
> 
> +               if (destLink == firstLink) { 
> +                       /*
> +                        * If we've sent all the others, send the
> original
> +                        * on the first link we found.
> +                        */
> +                       NG_SEND_DATA(error, destLink->hook, m, meta);
> +                       break; /* always done last - not really
> needed. */
> +               } else {
> +                       NG_SEND_DATA(error, destLink->hook, m2, meta2);
> +               }
> 
> 
> couldn't this be avoided by previously doing:
> 
> 
> +               if (linkNum == priv->numLinks) {
> +                       /* If we never saw a good link, leave. */
> +                       if (firstLink == NULL) {
> +                               NG_FREE_DATA(m, meta);
> +                               return (0);
> +                       }       
> +                       destLink = firstLink;
> --->                    m2 = m;
> --->                    meta2 = meta;
> --->                    m=NULL;
> --->                    meta=NULL;
> +               }
> 
> 
> I leave it up to you to decide which you prefer, (but remember that
> NG_SEND_DATA is a macro and expads somewhat.
> 
> specifically, to (sorry about linewrap):
> #define NG_SEND_DATA(error, hook, m, meta)    \
>         do {\
>                 item_p _item;                 \
>                 if ((_item = ng_package_data((m), (meta)))) {\
>                         NG_FWD_ITEM_HOOK(error, _item, hook);    \
>                 } else { \
>                         (error) = ENOMEM;     \   
>                 }\   
>                 (m) = NULL;   \
>                 (meta) = NULL;      \
>         } while (0)
> 
> where NG_FWD_ITEM_HOOK
> itself expands to:
> #define NG_FWD_ITEM_HOOK(error, item, hook)   \
>         do { \
>                 (error) = \
>                     ng_address_hook(NULL, (item), (hook), 0);   \
>                 if (error == 0) { \
> 			SAVE_LINE(item);      \
>                         (error) = ng_snd_item((item), 0);   \ 
>                 } \
>                 (item) = NULL;         \ 
>         } while (0)
>  
> so only having one of those saves a bit of code.
> 
Your proposal of course looks good, but remember I was only doing a
porting of _your_ code for MFC, per your request.  My whole purpose
of this posting was to go ask you to please MFC your fix which you
mixed with the SMP-related work on Netgraph in rev. 1.8.  ;)


Cheers,
-- 
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040408/d495677f/attachment.bin


More information about the freebsd-stable mailing list