>Number: 151908
>Category: misc
>Synopsis: nd6_ns_input:panic may happen, for RTFREE_LOCKED set rt to 0.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 03 08:50:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: chenyl
>Release: FreeBSD 8.1-RELEASE
>Organization:
array
>Environment:
FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010
>Description:
nd6_ns_input:
256 need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0
&&
257 rt->rt_gateway->sa_family == AF_LINK);
258 if (rt)
259 RTFREE_LOCKED(rt);
260 if (need_proxy) {
261 /*
262 * proxy NDP for single entry
263 */
264 ifa = (struct ifaddr
*)in6ifa_ifpforlinklocal(ifp,
265 IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
266 if (ifa) {
267 proxy = 1;
268 proxydl = SDL(rt->rt_gateway);
269 }
270 }
271 }
L259:
RTFREE_LOCKED(rt);
rt will be set to 0.
L268:
rt will be referenced. Panic may happen here.
>How-To-Repeat:
>Fix:
--- nd6_nbr.c 2010-06-14 10:09:06.000000000 +0800
+++ nd6_nbr.c.bak 2010-11-04 00:43:15.000000000 +0800
@@ -255,8 +255,6 @@ nd6_ns_input(struct mbuf *m, int off, in
#endif
need_proxy = (rt && (rt->rt_flags & RTF_ANNOUNCE) != 0 &&
rt->rt_gateway->sa_family == AF_LINK);
- if (rt)
- RTFREE_LOCKED(rt);
if (need_proxy) {
/*
* proxy NDP for single entry
@@ -268,6 +266,10 @@ nd6_ns_input(struct mbuf *m, int off, in
proxydl = SDL(rt->rt_gateway);
}
}
+ if(!proxy) {
+ if(rt)
+ RTFREE_LOCKED(rt);
+ }
}
if (ifa == NULL) {
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
