Hello Hrvoje,
On Mon, May 23, 2022 at 06:34:07PM +0200, Hrvoje Popovski wrote:
> On 23.5.2022. 10:41, Hrvoje Popovski wrote:
> > On 23.5.2022. 8:34, Alexandr Nedvedicky wrote:
> >> looks like kind of memory corruption. my bet is use-after-free.
> >> will try to get to it later today.
> >>
> >> does it mean there is no such panic, when we handle IPv4 traffic only?
> >
> > Hi,
> >
> > yes, it seems that i can't trigger panic with ip4 only traffic, at least
> > the same way i can with ip6 traffic
> >
>
> All day I'm trying to trigger panic with ip4 and I just can't ....
interesting. I went through mbuf handling in if_veb.c
I just could find a single nit, which is most likely unrelated,
however I think it's still worth to give it a try a diff below.
basically all calls to veb_pf() read as follows:
m = veb_pf(ifp, ..., m);
except the one in veb_broadcast(), which readsa as:
m = veb_pf(ifp, ..., m0);
I think it is a bug, veb_pf() caller should continue to run
with packet returned by veb_pf().
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c
index 67185fde228..30a002f95a2 100644
--- a/sys/net/if_veb.c
+++ b/sys/net/if_veb.c
@@ -944,7 +944,7 @@ veb_broadcast(struct veb_softc *sc, struct veb_port *rp,
struct mbuf *m0,
* let pf look at it, but use the veb interface as a proxy.
*/
if (ISSET(ifp->if_flags, IFF_LINK1) &&
- (m = veb_pf(ifp, PF_OUT, m0)) == NULL)
+ (m0 = veb_pf(ifp, PF_OUT, m0)) == NULL)
return;
#endif
