[src/trunk]: src/sys/netinet6 Fix panic on destroying an interface with IPv6 ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/netinet6 Fix panic on destroying an interface with IPv6 ...
From: ozaki-r <ozaki-r%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 20:40:06 +0000

details:   https://anonhg.NetBSD.org/src/rev/56908cc3db01
branches:  trunk
changeset: 349211:56908cc3db01
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Wed Nov 30 02:08:57 2016 +0000

description:
Fix panic on destroying an interface with IPv6 addresses obtained with RA

nd6_purge depends on that IPv6 addresses are purged. If addresses remain,
pfxlist_onlink_check called from nd6_purge dereferences a dangling pointer
(ia->ia6_ndpr) that is freed before calling pfxlist_onlink_check. Fix it by
removing addresses before calling nd6_purge, which is the original behavior
that was changed by in6.c,v 1.203 and in6_ifattach.c,v 1.99.

Note that it seems the issue occurs because of a hack that forcibly destroys
prefix list entries of a given interface in nd6_purge. We should tackle the
hack in the future.

Fix PR kern/51467

diffstat:

 sys/netinet6/in6_ifattach.c |  10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diffs (37 lines):

diff -r 58da29c9f6a2 -r 56908cc3db01 sys/netinet6/in6_ifattach.c
--- a/sys/netinet6/in6_ifattach.c       Wed Nov 30 01:36:38 2016 +0000
+++ b/sys/netinet6/in6_ifattach.c       Wed Nov 30 02:08:57 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6_ifattach.c,v 1.106 2016/10/18 02:45:41 ozaki-r Exp $       */
+/*     $NetBSD: in6_ifattach.c,v 1.107 2016/11/30 02:08:57 ozaki-r Exp $       */
 /*     $KAME: in6_ifattach.c,v 1.124 2001/07/18 08:32:51 jinmei Exp $  */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.106 2016/10/18 02:45:41 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.107 2016/11/30 02:08:57 ozaki-r Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -809,15 +809,15 @@
 in6_ifdetach(struct ifnet *ifp)
 {
 
+       /* nuke any of IPv6 addresses we have */
+       if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr);
+
        /* remove ip6_mrouter stuff */
        ip6_mrouter_detach(ifp);
 
        /* remove neighbor management table */
        nd6_purge(ifp, NULL);
 
-       /* nuke any of IPv6 addresses we have */
-       if_purgeaddrs(ifp, AF_INET6, in6_purgeaddr);
-
        /* cleanup multicast address kludge table, if there is any */
        in6_purgemkludge(ifp);

Prev by Date: [src/trunk]: src/external/bsd/wpa/dist/wpa_supplicant grr. usec is also os_ti...
Next by Date: [src/trunk]: src/libexec/ld.elf_so add missing newline in comment
Previous by Thread: [src/trunk]: src/external/bsd/wpa/dist/wpa_supplicant grr. usec is also os_ti...
Next by Thread: [src/trunk]: src/libexec/ld.elf_so add missing newline in comment
Indexes:

Home | Main Index | Thread Index | Old Index