svn commit: r346530 - in head/sys: netinet netinet6
Hans Petter Selasky
hps at selasky.org
Mon Apr 22 08:32:44 UTC 2019
On 4/22/19 10:10 AM, Hans Petter Selasky wrote:
> On 4/22/19 9:52 AM, Enji Cooper wrote:
>>
>>> On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky
>>> <hselasky at FreeBSD.org> wrote:
>>>
>>> Author: hselasky
>>> Date: Mon Apr 22 07:27:24 2019
>>> New Revision: 346530
>>> URL: https://svnweb.freebsd.org/changeset/base/346530
>>>
>>> Log:
>>> Fix panic in network stack due to memory use after free in relation to
>>> fragmented packets.
>>>
>>> When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
>>> the mbuf making up the fragment will remain in the temporary hashed
>>> fragment list for a while. If the network interface departs before the
>>> so-called slow timeout clears the packet, the fragment causes a panic
>>> when the timeout kicks in due to accessing a freed network interface
>>> structure.
>>>
>>> Make sure that when a network device is departing, all hashed IPv4 and
>>> IPv6 fragments belonging to it, get freed.
>>>
>>> Backtrace:
>>> panic()
>>> icmp6_reflect()
>>>
>>> hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim;
>>> ^^^^ rcvif->if_afdata[AF_INET6] is NULL.
>>>
>>> icmp6_error()
>>> frag6_freef()
>>> frag6_slowtimo()
>>> pfslowtimo()
>>> softclock_call_cc()
>>> softclock()
>>> ithread_loop()
>>>
>>> Differential Revision: https://reviews.freebsd.org/D19622
>>> Reviewed by: bz (network), adrian
>>> MFC after: 1 week
>>> Sponsored by: Mellanox Technologies
>>
>> This commit broke the build on mips, etc:
>>
>> 07:36:06
>> --- ip_reass.o ---
>>
>> 07:36:06
>> /usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' token
>>
>> 07:36:06 *** [ip_reass.o] Error code 1
>>
>> EVENTHANDLER_DEFINE looks like it doesn’t work with gcc?
>
> I'm looking into it.
>
> Thank you!
>
> --HPS
>
>
>
Should be fixed by
r346535
Else I'll revert.
--HPS
More information about the svn-src-all
mailing list