sys/netinet6/in6_rmx.c: fix a double-free bug
----Security_Multipart0(Tue_Dec_28_19_31_59_2004_219)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Tue_Dec_28_19_31_59_2004_112)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Tue_Dec_28_19_31_59_2004_112)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Here is a patch from KAME to fix a double-free bug when
net.inet[6].ip[6].rtexpire=0.
----Next_Part(Tue_Dec_28_19_31_59_2004_112)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="in6_rmx.c.diff"
Fix a double-free bug when net.inet[6].ip[6].rtexpire=0.
Obtained from: KAME (via FreeBSD, in6_rmx.c:1.1.2.3->1.1.2.4)
Index: in6_rmx.c
===================================================================
RCS file: /cvs/src/sys/netinet6/in6_rmx.c,v
retrieving revision 1.8
diff -d -u -I\$FreeBSD:.*\$ -I\$NetBSD:.*\$ -I\$OpenBSD:.*\$ -I\$DragonFly:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.8 in6_rmx.c
--- in6_rmx.c 21 Dec 2004 02:54:47 -0000 1.8
+++ in6_rmx.c 28 Dec 2004 09:59:36 -0000
@@ -276,10 +276,16 @@
rt->rt_flags |= RTPRF_OURS;
rt->rt_rmx.rmx_expire = time_second + rtq_reallyold;
} else {
+ struct rtentry *dummy;
+
+ /*
+ * rtrequest() would recursively call rtfree() without the
+ * dummy entry argument, causing duplicated free.
+ */
rtrequest(RTM_DELETE,
(struct sockaddr *)rt_key(rt),
rt->rt_gateway, rt_mask(rt),
- rt->rt_flags, 0);
+ rt->rt_flags, &dummy);
}
}
----Next_Part(Tue_Dec_28_19_31_59_2004_112)----
----Security_Multipart0(Tue_Dec_28_19_31_59_2004_219)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQBB0TYfTyzT2CeTzy0RAh+OAJ9ZKwEssGQxhaxtOPBeF1zK0tKxxACePgRY
HEqvyo/zmUrqJulfDyowXMY=
=Tn3/
-----END PGP SIGNATURE-----
----Security_Multipart0(Tue_Dec_28_19_31_59_2004_219)----
討論串 (同標題文章)
完整討論串 (本文為第 1 之 4 篇):