Author: ae
Date: Mon May 27 12:41:41 2019
New Revision: 348303
URL: https://svnweb.freebsd.org/changeset/base/348303
Log:
Fix possible NULL pointer dereference.
bpf_mtap() can invoke catchpacket() for already detached descriptor.
And this can lead to NULL pointer dereference, since bd_bif pointer
was reset to NULL in bpf_detachd_locked(). To avoid this, use
NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors
list. After the wait it is safe to modify descriptor's content.
Submitted by: kib
Reported by: slavash
MFC after: 1 week
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==============================================================================
--- head/sys/net/bpf.c Mon May 27 06:37:23 2019 (r348302)
+++ head/sys/net/bpf.c Mon May 27 12:41:41 2019 (r348303)
@@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp)
/* Check if descriptor is attached */
if ((bp = d->bd_bif) == NULL)
return;
+ /*
+ * Remove d from the interface's descriptor list.
+ * And wait until bpf_[m]tap*() will finish their possible work
+ * with descriptor.
+ */
+ CK_LIST_REMOVE(d, bd_next);
+ NET_EPOCH_WAIT();
BPFD_LOCK(d);
- /* Remove d from the interface's descriptor list. */
- CK_LIST_REMOVE(d, bd_next);
/* Save bd_writer value */
error = d->bd_writer;
ifp = bp->bif_ifp;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
