CVSROOT: /cvs Module name: src Changes by: m...@cvs.openbsd.org 2020/08/04 03:32:05
Modified files: lib/libc/sys : sysctl.2 sys/net : if.c netisr.h pipex.c pipex.h pipex_local.h Log message: We have `pipexinq' and `pipexoutq' mbuf(9) queues to store pipex(4) related mbufs. Each mbuf(9) passed to these queues stores the pointer to corresponding pipex(4) session referenced as `m_pkthdr.ph_cookie'. When session was destroyed its reference can still be in these queues so we have use after free issue while pipexintr() dereference it. I removed `pipexinq', `pipexoutq' and pipexintr(). This not only allows us to avoid issue described above, but also removes unnecessary context switch in packet processing. Also it makes code simpler. ok mpi@ yasuoka@