Bad stuff happens when the ifa lookup tree gets corrupted.
In my case local traffic was suddenly no longer local and was
forwarded to lo0 ad infinitum.
This was caused by the usage of rdomains and destroing pseudo interfaces.
The sadl address was still in rdomain 0, was therefor not found in the
tree and so you end up with a bad node and a use after free.
The following diff solves this by removing and readding the sadl to the RB
tree when switching rdomain.
OK?
--
:wq Claudio
Index: if.c
===================================================================
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.283
diff -u -p -r1.283 if.c
--- if.c 10 Apr 2014 13:47:21 -0000 1.283
+++ if.c 18 Apr 2014 16:03:11 -0000
@@ -1515,6 +1580,8 @@ ifioctl(struct socket *so, u_long cmd, c
#ifdef INET
in_ifdetach(ifp);
#endif
+ /* remove sadl from ifa RB tree */
+ ifa_del(ifp, ifp->if_lladdr);
splx(s);
}
@@ -1525,6 +1592,9 @@ ifioctl(struct socket *so, u_long cmd, c
/* Add interface to the specified rdomain */
ifp->if_rdomain = ifr->ifr_rdomainid;
+
+ /* re-add sadl to the ifa RB tree in new rdomain */
+ ifa_add(ifp, ifp->if_lladdr);
break;
case SIOCAIFGROUP:
