svn commit: r236609 - stable/8/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Tue Jun 5 11:27:11 UTC 2012
Author: bz
Date: Tue Jun 5 11:27:11 2012
New Revision: 236609
URL: http://svn.freebsd.org/changeset/base/236609
Log:
MFC r236501 (by emax):
Plug reference leak.
Interface addresses are refcounted as packets move through the stack,
and there's garbage collection tied to it so that address changes can
safely propagate while traffic is flowing. In our setup, we weren't
changing or deleting any addresses, but the refcounting logic in
ip6_input() was wrong and caused a reference leak on every inbound
V6 packet. This eventually caused a 32bit overflow, and the resulting
0 value caused the garbage collection to run on the active address.
That then snowballed into the panic.
Modified:
stable/8/sys/netinet6/ip6_input.c
Directory Properties:
stable/8/sys/ (props changed)
Modified: stable/8/sys/netinet6/ip6_input.c
==============================================================================
--- stable/8/sys/netinet6/ip6_input.c Tue Jun 5 11:26:43 2012 (r236608)
+++ stable/8/sys/netinet6/ip6_input.c Tue Jun 5 11:27:11 2012 (r236609)
@@ -734,19 +734,23 @@ passin:
* as our interface address (e.g. multicast addresses, addresses
* within FAITH prefixes and such).
*/
- if (deliverifp && !ip6_getdstifaddr(m)) {
+ if (deliverifp) {
struct in6_ifaddr *ia6;
- ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
- if (ia6) {
- if (!ip6_setdstifaddr(m, ia6)) {
- /*
- * XXX maybe we should drop the packet here,
- * as we could not provide enough information
- * to the upper layers.
- */
- }
+ if ((ia6 = ip6_getdstifaddr(m)) != NULL) {
ifa_free(&ia6->ia_ifa);
+ } else {
+ ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst);
+ if (ia6) {
+ if (!ip6_setdstifaddr(m, ia6)) {
+ /*
+ * XXX maybe we should drop the packet here,
+ * as we could not provide enough information
+ * to the upper layers.
+ */
+ }
+ ifa_free(&ia6->ia_ifa);
+ }
}
}
More information about the svn-src-all
mailing list