svn commit: r346530 - in head/sys: netinet netinet6
Hans Petter Selasky
hps at selasky.org
Tue Sep 3 14:08:12 UTC 2019
On 4/22/19 9:52 AM, Enji Cooper wrote:
>
>> On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky <hselasky at FreeBSD.org> wrote:
>>
>> Author: hselasky
>> Date: Mon Apr 22 07:27:24 2019
>> New Revision: 346530
>> URL: https://svnweb.freebsd.org/changeset/base/346530
>>
>> Log:
>> Fix panic in network stack due to memory use after free in relation to
>> fragmented packets.
>>
>> When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
>> the mbuf making up the fragment will remain in the temporary hashed
>> fragment list for a while. If the network interface departs before the
>> so-called slow timeout clears the packet, the fragment causes a panic
>> when the timeout kicks in due to accessing a freed network interface
>> structure.
>>
>> Make sure that when a network device is departing, all hashed IPv4 and
>> IPv6 fragments belonging to it, get freed.
>>
>> Backtrace:
>> panic()
>> icmp6_reflect()
>>
>> hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim;
>> ^^^^ rcvif->if_afdata[AF_INET6] is NULL.
>>
>> icmp6_error()
>> frag6_freef()
>> frag6_slowtimo()
>> pfslowtimo()
>> softclock_call_cc()
>> softclock()
>> ithread_loop()
>>
>> Differential Revision: https://reviews.freebsd.org/D19622
>> Reviewed by: bz (network), adrian
>> MFC after: 1 week
>> Sponsored by: Mellanox Technologies
>
> This commit broke the build on mips, etc:
>
> 07:36:06
> --- ip_reass.o ---
>
> 07:36:06
> /usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' token
>
> 07:36:06 *** [ip_reass.o] Error code 1
>
> EVENTHANDLER_DEFINE looks like it doesn’t work with gcc?
I'm looking into it.
Thank you!
--HPS
More information about the svn-src-all
mailing list