Dan McDonald writes:
> if (v4 != NULL) {
> if (!(v4->ill_flags & ILL_CONDEMNED)) {
> ------- YIKE! ----> tun =
> (tun_t *)v4->ill_wq->q_next->q_ptr;
Yikes indeed. It assumes that q_next here points to an instance of
'tun'. Given the existence of _I_INSERT, I don't see how you can
guarantee that q_next is stable, let alone that it points to the
instance expected. One user-pushed module, and it's game over.
> Don't worry about itp and tun. Worry about the line with "YIKE!" pointing at
> it. The comments in ip.h suggest I can get away with what I just said,
> because ill_wq is write-once, and the ill's queue is good so long as it's not
> condemned.
The queue in ill_wq should be valid as long as the ill_t is around.
The actual contents of that pointed-to structure doesn't have the same
guarantee.
You also need to be really careful about the references held to make
sure there are no cycles here. You're taking a reference on tun_t.
If tearing down tun_t (which will happen when the ill_t is unplumbed)
requires that this module holding the reference (whatever it's doing)
goes away, then you'll deadlock on unplumb.
--
James Carlson, KISS Network <[EMAIL PROTECTED]>
Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
_______________________________________________
networking-discuss mailing list
[email protected]
