On 4/22/19 9:52 AM, Enji Cooper wrote:
On Apr 22, 2019, at 12:27 AM, Hans Petter Selasky <hsela...@freebsd.org> wrote: Author: hselasky Date: Mon Apr 22 07:27:24 2019 New Revision: 346530 URL: https://svnweb.freebsd.org/changeset/base/346530 Log: Fix panic in network stack due to memory use after free in relation to fragmented packets. When sending IPv4 and IPv6 fragmented packets and a fragment is lost, the mbuf making up the fragment will remain in the temporary hashed fragment list for a while. If the network interface departs before the so-called slow timeout clears the packet, the fragment causes a panic when the timeout kicks in due to accessing a freed network interface structure. Make sure that when a network device is departing, all hashed IPv4 and IPv6 fragments belonging to it, get freed. Backtrace: panic() icmp6_reflect() hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim; ^^^^ rcvif->if_afdata[AF_INET6] is NULL. icmp6_error() frag6_freef() frag6_slowtimo() pfslowtimo() softclock_call_cc() softclock() ithread_loop() Differential Revision: https://reviews.freebsd.org/D19622 Reviewed by: bz (network), adrian MFC after: 1 week Sponsored by: Mellanox TechnologiesThis commit broke the build on mips, etc: 07:36:06 --- ip_reass.o --- 07:36:06 /usr/src/sys/netinet/ip_reass.c:641: error: expected ')' before '(' token 07:36:06 *** [ip_reass.o] Error code 1 EVENTHANDLER_DEFINE looks like it doesn’t work with gcc?
I'm looking into it. Thank you! --HPS _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
