kern/144874: [if_bridge] [patch] if_bridge frees mbuf after
pfil hooks returns non-zero
Gleb Kurtsou
gleb.kurtsou at gmail.com
Sat Mar 20 01:50:03 UTC 2010
The following reply was made to PR kern/144874; it has been noted by GNATS.
From: Gleb Kurtsou <gleb.kurtsou at gmail.com>
To: bug-followup at FreeBSD.org, jacobmdrop at comcast.net
Cc:
Subject: Re: kern/144874: [if_bridge] [patch] if_bridge frees mbuf after
pfil hooks returns non-zero
Date: Sat, 20 Mar 2010 03:50:04 +0200
[...]
> Create a simple pfil hook and install it with pfil_add_hook(PFIL_IN).
> The hook should drop (some) packets by returning a non-zero value. The
> hook should free the mbuf on dropped packets by calling m_freem(*mp).
> The filter should _not_ modify the mbuf pointer (mp). Install a
^^^^^^^^^ documentation is wrong here.
As far as I can see all firewalls in the tree zero mp after free,
something like:
if (chk && *m) {
m_freem(*m);
*m = NULL;
}
Correct fix would be to update documentation and add KASSERT to
pfil_run_hooks checking *mp == 0 if hook returned non-zero result.
> if_bridge on the system, and pass traffic through the bridge, such
> that at least one packet gets dropped by the pfil hook. At some point
> shortly after that the system will panic. The panic is usually occurs
> in sbflush_internal(), though there are other ways that the corruption
> can manifest.
More information about the freebsd-net
mailing list