CVS commit: src/sys/netinet

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/sys/netinet
From: "Ryota Ozaki" <ozaki-r%netbsd.org@localhost>
Date: Thu, 25 May 2017 02:43:43 +0000

Module Name:    src
Committed By:   ozaki-r
Date:           Thu May 25 02:43:43 UTC 2017

Modified Files:
        src/sys/netinet: in.c

Log Message:
Fix that a fresh in_ifaddr is unexpectedly freed before activating it

An in_ifaddr object is initialized with refcnt=0 and the refcnt
is incremented when being enqueued to the lists. However before
enqueuing it, in_ifinit can hold and refelease a reference to
it, i.e., call ifaref and ifafree, resulting in that the object
is freed in ifafree because its refcnt is decremented to 0.

It can be reproduced by doing:
  ifconfig tun0 create
  ifconfig tun1 create
  ifconfig tun0 10.1 10.2
  ifconfig tun1 10.2 10.1
  ifconfig  # Cause a kernel panic (may depend on environmemts)

We need to initialize a created in_ifaddr object with refcnt=1
to make the object survive over in_ifinit.

The issue is found by ryo@


To generate a diff of this commit:
cvs rdiff -u -r1.201 -r1.202 src/sys/netinet/in.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/sys/kern
Next by Date: CVS commit: src/sys/netipsec
Previous by Thread: CVS commit: src/sys/kern
Next by Thread: CVS commit: src/sys/netipsec
Indexes:

Home | Main Index | Thread Index | Old Index