Re: sys/netinet6/in6_rmx.c: fix a double-free bug
Hiroki Sato wrote:
> Hi,
>
> Here is a patch from KAME to fix a double-free bug when
> net.inet[6].ip[6].rtexpire=0.
>
>
>
> ------------------------------------------------------------------------
>
> Fix a double-free bug when net.inet[6].ip[6].rtexpire=0.
>
> Obtained from: KAME (via FreeBSD, in6_rmx.c:1.1.2.3->1.1.2.4)
>
> Index: in6_rmx.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/in6_rmx.c,v
> retrieving revision 1.8
> diff -d -u -I\$FreeBSD:.*\$ -I\$NetBSD:.*\$ -I\$OpenBSD:.*\$ -I\$DragonFly:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.8 in6_rmx.c
> --- in6_rmx.c 21 Dec 2004 02:54:47 -0000 1.8
> +++ in6_rmx.c 28 Dec 2004 09:59:36 -0000
> @@ -276,10 +276,16 @@
> rt->rt_flags |= RTPRF_OURS;
> rt->rt_rmx.rmx_expire = time_second + rtq_reallyold;
> } else {
> + struct rtentry *dummy;
> +
> + /*
> + * rtrequest() would recursively call rtfree() without the
> + * dummy entry argument, causing duplicated free.
> + */
> rtrequest(RTM_DELETE,
> (struct sockaddr *)rt_key(rt),
> rt->rt_gateway, rt_mask(rt),
> - rt->rt_flags, 0);
> + rt->rt_flags, &dummy);
> }
> }
I don't think it is a problem for our routing code to call rtrequest(RTM_DELETE) with
a NULL return route for the last parameter. Are we talking about a recursive call
from rtfree() to rtfree() or from rtfree() back to rtrequest()? A stack trace
showing the problem would help illustrate the problem for me. Thanks.
Jeffrey
討論串 (同標題文章)
完整討論串 (本文為第 2 之 4 篇):