Subject: Re: PR/35273 CVS commit: src/sys/netinet
To: None <joerg@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Antti Kantee <pooka@cs.hut.fi>
List: netbsd-bugs
Date: 01/14/2007 16:25:02
The following reply was made to PR kern/35273; it has been noted by GNATS.
From: Antti Kantee <pooka@cs.hut.fi>
To: joerg@NetBSD.org
Cc: netbsd-bugs@netbsd.org, dlagno@rambler.ru, gnats-bugs@NetBSD.org
Subject: Re: PR/35273 CVS commit: src/sys/netinet
Date: Sun, 14 Jan 2007 18:20:59 +0200
On Sat Jan 13 2007 at 23:15:05 +0000, Joerg Sonnenberger wrote:
> Modified Files:
> src/sys/netinet: ip_output.c
>
> Log Message:
> Unconditionally zero and free iproute. Before IPsec tunnel packets e.g.
> from ICMP could end up in leaking the reference in iproute, as
> ipsec4_output would overwrite the ro pointer in state.
>
> Tested by Juraj Hercek and supposed to fix PR kern/35273 and kern/35318.
>
>
> To generate a diff of this commit:
> cvs rdiff -r1.173 -r1.174 src/sys/netinet/ip_output.c
Given that this is the hack I posted a week ago to hide the problem,
can you explain why you now consider it the correct fix, even though we
both agreed it was just a hack.
I do agree that obviously we should never come out of ip_output() with
a route cached to iproute, but shouldn't we be fixing ipsec4_output()
instead? Or at least clearly mark this as a hack? This reeks of
bug-masking code.
--
Antti Kantee <pooka@iki.fi> Of course he runs NetBSD
http://www.iki.fi/pooka/ http://www.NetBSD.org/
"la qualité la plus indispensable du cuisinier est l'exactitude"