cvs commit: src/sys/netinet ip_fw2.c
John Baldwin
jhb at FreeBSD.org
Thu Oct 16 11:35:13 PDT 2003
On 16-Oct-2003 Kirk McKusick wrote:
> mckusick 2003/10/15 19:00:12 PDT
>
> FreeBSD src repository
>
> Modified files:
> sys/netinet ip_fw2.c
> Log:
> Malloc buckets of size 128 have been having their 64-byte offset
> trashed after being freed. This has caused several panics including
> kern/42277 related to soft updates. Jim Kuhn tracked the problem
> down to ipfw limit rule processing. In the expiry of dynamic rules,
> it is possible for an O_LIMIT_PARENT rule to be removed when it still
> has live children. When the children eventually do expire, a pointer
> to the (long gone) parent is dereferenced and a count decremented.
> Since this memory can, and is, allocated for other purposes (in the
> case of kern/42277 an inodedep structure), chaos ensues. The offset
> in question in inodedep is the offset of the 16 bit count field in
> the ipfw2 ipfw_dyn_rule.
>
> Submitted by: Jim Kuhn <jkuhn at sandvine.com>
> Reviewed by: "Evgueni V. Gavrilov" <aquatique at rusunix.org>
> Reviewed by: Ben Pfountz <netprince at vt.edu>
> MFC after: 1 week
Wow, impressive find!
--
John Baldwin <jhb at FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
More information about the cvs-src
mailing list