svn commit: r346118 - in head/sys: netinet netinet6

Mark Johnston markj at FreeBSD.org
Tue Sep 3 14:07:26 UTC 2019 

Author: markj
Date: Thu Apr 11 08:00:59 2019
New Revision: 346118
URL: https://svnweb.freebsd.org/changeset/base/346118

Log:
  Reinitialize multicast source filter structures after invalidation.
  
  When leaving a multicast group, a hole may be created in the inpcb's
  source filter and group membership arrays.  To remove the hole, the
  succeeding array elements are copied over by one entry.  The multicast
  code expects that a newly allocated array element is initialized, but
  the code which shifts a tail of the array was leaving stale data
  in the final entry.  Fix this by explicitly reinitializing the last
  entry following such a copy.
  
  Reported by:	syzbot+f8c3c564ee21d650475e at syzkaller.appspotmail.com
  Reviewed by:	ae
  MFC after:	2 weeks
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D19872

Modified:
  head/sys/netinet/in_mcast.c
  head/sys/netinet6/in6_mcast.c

Modified: head/sys/netinet/in_mcast.c
==============================================================================
--- head/sys/netinet/in_mcast.c	Thu Apr 11 05:11:02 2019	(r346117)
+++ head/sys/netinet/in_mcast.c	Thu Apr 11 08:00:59 2019	(r346118)
@@ -2556,10 +2556,14 @@ out_in_multi_locked:
 
 	if (is_final) {
 		/* Remove the gap in the membership and filter array. */
+		KASSERT(RB_EMPTY(&imf->imf_sources),
+		    ("%s: imf_sources not empty", __func__));
 		for (++idx; idx < imo->imo_num_memberships; ++idx) {
-			imo->imo_membership[idx-1] = imo->imo_membership[idx];
-			imo->imo_mfilters[idx-1] = imo->imo_mfilters[idx];
+			imo->imo_membership[idx - 1] = imo->imo_membership[idx];
+			imo->imo_mfilters[idx - 1] = imo->imo_mfilters[idx];
 		}
+		imf_init(&imo->imo_mfilters[idx - 1], MCAST_UNDEFINED,
+		    MCAST_EXCLUDE);
 		imo->imo_num_memberships--;
 	}
 

Modified: head/sys/netinet6/in6_mcast.c
==============================================================================
--- head/sys/netinet6/in6_mcast.c	Thu Apr 11 05:11:02 2019	(r346117)
+++ head/sys/netinet6/in6_mcast.c	Thu Apr 11 08:00:59 2019	(r346118)
@@ -2470,10 +2470,14 @@ in6p_leave_group(struct inpcb *inp, struct sockopt *so
 
 	if (is_final) {
 		/* Remove the gap in the membership array. */
+		KASSERT(RB_EMPTY(&imf->im6f_sources),
+		    ("%s: im6f_sources not empty", __func__));
 		for (++idx; idx < imo->im6o_num_memberships; ++idx) {
-			imo->im6o_membership[idx-1] = imo->im6o_membership[idx];
-			imo->im6o_mfilters[idx-1] = imo->im6o_mfilters[idx];
+			imo->im6o_membership[idx - 1] = imo->im6o_membership[idx];
+			imo->im6o_mfilters[idx - 1] = imo->im6o_mfilters[idx];
 		}
+		im6f_init(&imo->im6o_mfilters[idx - 1], MCAST_UNDEFINED,
+		    MCAST_EXCLUDE);
 		imo->im6o_num_memberships--;
 	}

More information about the svn-src-all mailing list