syncache_timer()
...
/*
* syncache_respond() may call back into the syncache to
* to modify another entry, so do not obtain the next
* entry on the timer chain until it has completed.
*/
(void) syncache_respond(sc, NULL);
nsc = TAILQ_NEXT(sc, sc_timerq);
tcpstat.tcps_sc_retransmitted++;
TAILQ_REMOVE(&tcp_syncache.timerq[slot], sc, sc_timerq);
so what happens is that syncache_respond() calls ip_output,
which ends up calling ip_input, which ends up doing something
that causes 'sc' to be freed. Now 'sc' is freed, we return
to syncache_timer(), and then we use it in nsc = TAILQ_NEXT(...)
line.
This particular part of the problem was introduced in
1.23 of tcp_syncache.c in response to another bug that i had
found.
Does anyone have a suggestion on a proper fix?
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
