cvs commit: src/sys/netinet ip_dummynet.c
Ruslan Ermilov
ru at FreeBSD.org
Fri Feb 3 08:11:32 PST 2006
On Fri, Feb 03, 2006 at 11:38:19AM +0000, Gleb Smirnoff wrote:
> glebius 2006-02-03 11:38:19 UTC
>
> FreeBSD src repository
>
> Modified files:
> sys/netinet ip_dummynet.c
> Log:
> Dropping the lock in the transmit_event() is not safe, because we
> store some pipe pointers on stack. If user reconfigures dummynet
> in the interlock gap, we can work with freed pipes after relock.
>
> To fix this, we decided not to send packets in transmit_event(),
> but fill a queue. At the end of dummynet() and dummynet_io(),
> after the lock is dropped, if there is something in the queue
> we run dummynet_send() to process the queue.
>
> In collaboration with: ru
>
> Revision Changes Path
> 1.98 +115 -94 src/sys/netinet/ip_dummynet.c
>
The insufficient locking resulted in a "NULL-like" pointer dereference.
Fault virtual address was 0x18: NULL + 8 (sizeof of a pointer on amd64)
+ 0x10 (structure offset).
Thanks for providing the fix so quickly and for working over night!
Cheers,
--
Ruslan Ermilov
ru at FreeBSD.org
FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20060203/72f01d19/attachment.bin
More information about the cvs-src
mailing list