svn commit: r186976 - in stable/7/sys: . contrib/pf dev/ath/ath_hal
dev/cxgb netgraph
Alexander Motin
mav at FreeBSD.org
Fri Jan 9 21:02:55 UTC 2009
Author: mav
Date: Fri Jan 9 21:02:54 2009
New Revision: 186976
URL: http://svn.freebsd.org/changeset/base/186976
Log:
MFC rev. 182995
We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in
ng_apply_item(). There are possible (and I have got one) use-after-free
class panics because of it.
If hook is specified, require it to be valid at the apply time. The only
exceptions are the internal ng_con_part2(), ng_con_part3() and
ng_rmhook_part2() functions which are specially made to work with invalid
hooks.
Modified:
stable/7/sys/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
stable/7/sys/dev/ath/ath_hal/ (props changed)
stable/7/sys/dev/cxgb/ (props changed)
stable/7/sys/netgraph/ng_base.c
Modified: stable/7/sys/netgraph/ng_base.c
==============================================================================
--- stable/7/sys/netgraph/ng_base.c Fri Jan 9 20:57:43 2009 (r186975)
+++ stable/7/sys/netgraph/ng_base.c Fri Jan 9 21:02:54 2009 (r186976)
@@ -2377,19 +2377,27 @@ ng_apply_item(node_p node, item_p item,
case NGQF_FN:
case NGQF_FN2:
/*
- * We have to implicitly trust the hook,
- * as some of these are used for system purposes
- * where the hook is invalid. In the case of
- * the shutdown message we allow it to hit
+ * In the case of the shutdown message we allow it to hit
* even if the node is invalid.
*/
- if ((NG_NODE_NOT_VALID(node))
- && (NGI_FN(item) != &ng_rmnode)) {
+ if (NG_NODE_NOT_VALID(node) &&
+ NGI_FN(item) != &ng_rmnode) {
TRAP_ERROR();
error = EINVAL;
NG_FREE_ITEM(item);
break;
}
+ /* Same is about some internal functions and invalid hook. */
+ if (hook && NG_HOOK_NOT_VALID(hook) &&
+ NGI_FN2(item) != &ng_con_part2 &&
+ NGI_FN2(item) != &ng_con_part3 &&
+ NGI_FN(item) != &ng_rmhook_part2) {
+ TRAP_ERROR();
+ error = EINVAL;
+ NG_FREE_ITEM(item);
+ break;
+ }
+
if ((item->el_flags & NGQF_TYPE) == NGQF_FN) {
(*NGI_FN(item))(node, hook, NGI_ARG1(item),
NGI_ARG2(item));
More information about the svn-src-stable-7
mailing list