Module Name: src
Committed By: knakahara
Date: Mon Apr 3 10:08:24 UTC 2017
Modified Files:
src/sys/net: if_l2tp.c
Log Message:
fix potentially use after free between "ifconfig l2tpX destroy" and l2tp Tx.
It is protected by KERNEL_LOCK in soo_ioctl() between "ioctl destory" and
other ioctls. And, it is protected by encap_lock() between "ioctl destroy"
and Rx. However, it was not protected between "ioctl destroy" and Tx.
That is,
+ CPU#A
- do "ifconfig l2tpX destroy"
- call l2tp_clone_destroy()
- done l2tp_delete_tunnel()
+ CPU#B
- begin l2tp output processing
- call l2tp_transmit()
- done l2tp_getref_variant()
+ CPU#A
- done kmem_free(sc->l2tp_var, )
+ CPU#B
- access to sc->l2tp_var after free
pointed out by s-yamaguchi@IIJ, thanks.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/sys/net/if_l2tp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
