svn commit: r242673 - head/sys/net
Guy Helmer
ghelmer at FreeBSD.org
Tue Nov 6 21:07:05 UTC 2012
Author: ghelmer
Date: Tue Nov 6 21:07:04 2012
New Revision: 242673
URL: http://svnweb.freebsd.org/changeset/base/242673
Log:
Work around a race in bpfread() by validating the hold buffer pointer
before freeing it. Otherwise, we can lose a buffer and cause a panic
in catchpacket().
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==============================================================================
--- head/sys/net/bpf.c Tue Nov 6 20:30:23 2012 (r242672)
+++ head/sys/net/bpf.c Tue Nov 6 21:07:04 2012 (r242673)
@@ -954,10 +954,13 @@ bpfread(struct cdev *dev, struct uio *ui
error = bpf_uiomove(d, d->bd_hbuf, d->bd_hlen, uio);
BPFD_LOCK(d);
- d->bd_fbuf = d->bd_hbuf;
- d->bd_hbuf = NULL;
- d->bd_hlen = 0;
- bpf_buf_reclaimed(d);
+ if (d->bd_hbuf != NULL) {
+ /* Free the hold buffer only if it is still valid. */
+ d->bd_fbuf = d->bd_hbuf;
+ d->bd_hbuf = NULL;
+ d->bd_hlen = 0;
+ bpf_buf_reclaimed(d);
+ }
BPFD_UNLOCK(d);
return (error);
More information about the svn-src-all
mailing list