Date: Wed, 29 Aug 2007 08:24:58 +0100 From: "Bruce M. Simpson" <bms@FreeBSD.org> To: "Christian S.J. Peron" <csjp@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: [csjp@FreeBSD.org: Re: rtfree: 0xffffff00036fb1e0 has 1 refs] Message-ID: <46D51F4A.1050004@FreeBSD.org> In-Reply-To: <46D48A3D.6080901@FreeBSD.org> References: <20070828165333.GA14159@sub.vaned.net> <46D48A3D.6080901@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
BTW: Casual inspection with kscope suggests there is a similar=20 free-while-locked issue in nd6_ns_input() (netient6/nd6_nbr.c) and=20 in_arpinput() (netinet/if_ether.c). nd6_ns_input() references rt-=BBrt_gateway after rtfree(), a potential=20 race not to mention a use-after-free. I haven't checked Coverity for this, but it just doesn't look right. BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D51F4A.1050004>