Possible race in IPv6
Alexandre Martins
alexandre.martins at stormshield.eu
Wed Mar 18 17:07:37 UTC 2015
Dear,
I'm facing some crash around manipulations of IPv6 address.
I already found that the commit 275593 will fix my issue.
However, after some code review, i see a possible race in the function
nd6_na_input:
https://svnweb.freebsd.org/base/head/sys/netinet6/nd6_nbr.c?annotate=279676#l750
=-=-=-=-=-=-=-=-=-=
if (ifa
&& (((struct in6_ifaddr *)ifa)->ia6_flags & IN6_IFF_TENTATIVE)) {
ifa_free(ifa);
nd6_dad_na_input(ifa);
goto freeit;
}
=-=-=-=-=-=-=-=-=-=
As you can see, the function drop its reference on the address and pass it to
nd6_dad_na_input.
It should be better to release the reference after the call.
What about you?
Regards
--
Alexandre Martins
STORMSHIELD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2757 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20150318/859dfeca/attachment.bin>
More information about the freebsd-current
mailing list