DragonFly- master sys/net route.c rtsock.c

Sepherosa Ziehau sephe at crater.dragonflybsd.org
Sat Jun 6 18:49:14 PDT 2009

commit 6e6b3e5072071a4abf74a5fa5fb711fa47a57a3b
Author: Sepherosa Ziehau <sephe at dragonflybsd.org>
Date:   Sun Jun 7 09:21:09 2009 +0800

    route_output: Fix RTM_DELETE rtentry leakage
    This actually incorporates two dependent changes.
    - Change to routing code:
      Keep the rtinfo in the netmsg unchanged, so all CPU on the ntemsg
      forwarding path will see the same rtinfo setup by rtrequest1_global()
      or rtsearch_global()'s caller, instead of the rtinfo baked by the
      previous CPU.
      This is critical step before we could free the rtentry in route_output()
      RTM_DELETE callback, since in this callback, fillrtmsg() will change
      the rtinfo to point the current rtentry's memory.  As long as we feed
      it a rtinfo local copy, we are safe to free the rtentry later, no
      dangling memory reference anymore.
    - Change to the rtsock code:
      Since the rtinfo setup in the route_output() points to the memory in
      the preallocated rtm, so we could not allow the callback of
      rtrequset1_global()/ rtsearch_global() to free the rtm if reallocation
      is required due to the rtm size changes.  We keep two different pointer
      fields in the callback argument now.  One is the save the preallocated
      rtm, which is pointed to by the rtinfo.  It could be freed only after
      a new rtm is allocated and rtrequset1_global()/ rtsearch_global() are
      done, so rtinfo will not reference invalid memory.  The other pointer
      saves the new rtm if there is any.
    Comments are added to the related places.
    Reported-by: ruse39 on EFnet

Summary of changes:
 sys/net/route.c  |   43 ++++++++++++++++++++---------
 sys/net/rtsock.c |   80 ++++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 93 insertions(+), 30 deletions(-)


DragonFly BSD source repository

More information about the Commits mailing list