(analysis) Re: ipv6 causing panic?
Matthew Dillon
dillon at apollo.backplane.com
Mon Jan 31 11:55:59 PST 2005
Ok, I think I found the problem but more eyes would not hurt.
netinet/in_gif.c/in_gif_input() is using:
gifp = (struct ifnet *)encap_getarg(m);
...
But encap_getarg() does this:
void *
encap_getarg(m)
struct mbuf *m;
{
void *p = NULL;
struct m_tag *tag;
tag = m_tag_find(m, PACKET_TAG_ENCAP, NULL);
if (tag != NULL) {
p = (void *)(tag + 1);
m_tag_delete(m, tag);
}
return p;
}
As far as I can tell, encap_getarg() is returning a pointer to
data that it has already free()'d. I think it has to return
*(void **)(tag+ 1) rather then (void *)(tag + 1).
Peter and Simon, please try the patch enclosed below.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
Index: netinet/ip_encap.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_encap.c,v
retrieving revision 1.10
diff -u -r1.10 ip_encap.c
--- netinet/ip_encap.c 6 Jan 2005 09:14:13 -0000 1.10
+++ netinet/ip_encap.c 31 Jan 2005 19:54:13 -0000
@@ -512,7 +512,7 @@
tag = m_tag_find(m, PACKET_TAG_ENCAP, NULL);
if (tag != NULL) {
- p = (void *)(tag + 1);
+ p = *(void **)(tag + 1);
m_tag_delete(m, tag);
}
return p;
More information about the Bugs
mailing list