Re: sys/netinet6/in6_rmx.c: fix a double-free bug

看板DFBSD_submit作者時間21年前 (2005/01/01 08:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串3/4 (看更多)
----Security_Multipart(Sat_Jan__1_08_09_09_2005_508)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jeffrey Hsu <hsu@freebsd.org> wrote in <41d1cb86$0$719$415eb37d@crater_reader.dragonflybsd.org>: hsu> I don't think it is a problem for our routing code to call rtrequest(RTM_DELETE) with hsu> a NULL return route for the last parameter. Are we talking about a recursive call hsu> from rtfree() to rtfree() or from rtfree() back to rtrequest()? A stack trace hsu> showing the problem would help illustrate the problem for me. Thanks. I can reproduce the system panic due to this double free. Specifically, doing "sysctl net.inet6.ip6.rtexpire=0" and then "ping6 somewhere" will trigger it. Probably Jinmei-san can explain the reason more precisely, but when rtq_reallyold == 0, rtfree() can be called twice from the rtrequest() in in6_clsroute() and somewhere else. Here is a stack trace when panic is occurred (I think this is not so useful though...) #23 0xc03fbef4 in Debugger (msg=0xc046df3c "panic") at machine/cpufunc.h:68 #24 0xc0261848 in panic (fmt=0xc047a720 "rtfree: rn_flags 0x%x ") at /usr/src/sys/kern/kern_shutdown.c:618 #25 0xc02bb84f in rtfree (rt=0xc172add8) at /usr/src/sys/net/route.c:191 #26 0xc02eb111 in in6_pcbdetach (inp=0xcd81eb00) at /usr/src/sys/netinet6/in6_pcb.c:610 #27 0xc02f638c in udp6_detach (so=0xcd662bc0) at /usr/src/sys/netinet6/udp6_usrreq.c:684 #28 0xc0287c53 in netmsg_pru_detach (msg=0xcf337af8) at /usr/src/sys/kern/uipc_msg.c:494 #29 0xc02b9e75 in netmsg_service_loop (arg=0x0) at /usr/src/sys/net/netisr.c:200 #30 0xc0266aa0 in lwkt_create () at /usr/src/sys/kern/lwkt_thread.c:1260 If you want other information on this problem, please let me know. Thanks. -- | Hiroki SATO ----Security_Multipart(Sat_Jan__1_08_09_09_2005_508)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBB1dwXTyzT2CeTzy0RAmVJAJ4qQ5rFSzmXTSGGgmE12yGJOEE1AACcCSqi cscMdeEcFgOsCtlOnBa/XmA= =IC9P -----END PGP SIGNATURE----- ----Security_Multipart(Sat_Jan__1_08_09_09_2005_508)----
更多 hrs. 的文章
文章代碼(AID): #11rUX400 (DFBSD_submit)
更多 hrs. 的文章
文章代碼(AID): #11rUX400 (DFBSD_submit)