svn commit: r346530 - in head/sys: netinet netinet6
Enji Cooper
yaneurabeya at gmail.com
Tue Sep 3 14:08:12 UTC 2019
> On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky <hselasky at FreeBSD.org> wrote:
>
> Author: hselasky
> Date: Mon Apr 22 07:27:24 2019
> New Revision: 346530
> URL: https://svnweb.freebsd.org/changeset/base/346530
>
> Log:
> Fix panic in network stack due to memory use after free in relation to
> fragmented packets.
>
> When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
> the mbuf making up the fragment will remain in the temporary hashed
> fragment list for a while. If the network interface departs before the
> so-called slow timeout clears the packet, the fragment causes a panic
> when the timeout kicks in due to accessing a freed network interface
> structure.
>
> Make sure that when a network device is departing, all hashed IPv4 and
> IPv6 fragments belonging to it, get freed.
>
> Backtrace:
> panic()
> icmp6_reflect()
>
> hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim;
> ^^^^ rcvif->if_afdata[AF_INET6] is NULL.
>
> icmp6_error()
> frag6_freef()
> frag6_slowtimo()
> pfslowtimo()
> softclock_call_cc()
> softclock()
> ithread_loop()
>
> Differential Revision: https://reviews.freebsd.org/D19622
> Reviewed by: bz (network), adrian
> MFC after: 1 week
> Sponsored by: Mellanox Technologies
This commit broke the build on mips, etc:
07:36:06
--- ip_reass.o ---
07:36:06
/usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' token
07:36:06 *** [ip_reass.o] Error code 1
EVENTHANDLER_DEFINE looks like it doesn’t work with gcc?
Thanks,
-Enji
More information about the svn-src-all
mailing list