CVSROOT: /cvs
Module name: src
Changes by: m...@cvs.openbsd.org 2020/08/04 03:32:05
Modified files:
lib/libc/sys : sysctl.2
sys/net : if.c netisr.h pipex.c pipex.h pipex_local.h
Log message:
We have `pipexinq' and `pipexoutq' mbuf(9) queues to store pipex(4)
related mbufs. Each mbuf(9) passed to these queues stores the pointer to
corresponding pipex(4) session referenced as `m_pkthdr.ph_cookie'. When
session was destroyed its reference can still be in these queues so we
have use after free issue while pipexintr() dereference it.
I removed `pipexinq', `pipexoutq' and pipexintr(). This not only allows
us to avoid issue described above, but also removes unnecessary context
switch in packet processing. Also it makes code simpler.
ok mpi@ yasuoka@
