cvs commit: src/sys/netinet ip_fw2.c
Sam Leffler
sam at errno.com
Thu Nov 27 11:09:56 PST 2003
On Thursday 27 November 2003 01:40 am, Andre Oppermann wrote:
> andre 2003/11/27 01:40:14 PST
>
> FreeBSD src repository
>
> Modified files:
> sys/netinet ip_fw2.c
> Log:
> Fix verify_rev_path() function. The author of this function tried to
> cut corners which completely broke down when the routing table locking
> was introduced.
The locking actually was unrelated to the problem. The problem was that the
code held a reference to a routing table entry w/o bumping the reference
count. The bug was identified because RTFREE (via RTFREE_LOCKED) zero's the
argument after freeing the reference to safeguard "use after free" bugs.
This however zero'd the pointer that was being held in static memory as a
cache and broke the logic of the code. This in turn broke the expected
behaviour and caused someone to notice something was wrong. The existing
code was a potential landmine because there was no guarantee the held
reference was valid. I note that this same problem exists in -stable...
Sam
More information about the cvs-src
mailing list