cvs commit: src/sys/netinet ip_fw2.c
Kirk McKusick
mckusick at FreeBSD.org
Wed Oct 15 19:00:14 PDT 2003
mckusick 2003/10/15 19:00:12 PDT
FreeBSD src repository
Modified files:
sys/netinet ip_fw2.c
Log:
Malloc buckets of size 128 have been having their 64-byte offset
trashed after being freed. This has caused several panics including
kern/42277 related to soft updates. Jim Kuhn tracked the problem
down to ipfw limit rule processing. In the expiry of dynamic rules,
it is possible for an O_LIMIT_PARENT rule to be removed when it still
has live children. When the children eventually do expire, a pointer
to the (long gone) parent is dereferenced and a count decremented.
Since this memory can, and is, allocated for other purposes (in the
case of kern/42277 an inodedep structure), chaos ensues. The offset
in question in inodedep is the offset of the 16 bit count field in
the ipfw2 ipfw_dyn_rule.
Submitted by: Jim Kuhn <jkuhn at sandvine.com>
Reviewed by: "Evgueni V. Gavrilov" <aquatique at rusunix.org>
Reviewed by: Ben Pfountz <netprince at vt.edu>
MFC after: 1 week
Revision Changes Path
1.40 +7 -4 src/sys/netinet/ip_fw2.c
More information about the cvs-src
mailing list