Date: Wed, 6 Apr 2011 23:55:01 +0200 (CEST) From: Ingo Flaschberger <if@xip.at> To: freebsd-net@FreeBSD.org Subject: ip_forward / ip_output / RTFREE? Message-ID: <alpine.LRH.2.00.1104062350520.2152@filebunker.xip.at>
next in thread | raw e-mail | index | archive | help
Hi,
in sys/netinet/ip_output.c at the end of ip_output:
done:
if (ro == &iproute && ro->ro_rt && !nortfree) {
RTFREE(ro->ro_rt);
}
ro->ro_rt gets freed, if not from flowtable.
but in sys/netinet/ip_input.c, ip_forward after ip_output is called:
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);
if (error == EMSGSIZE && ro.ro_rt)
mtu = ro.ro_rt->rt_rmx.rmx_mtu;
if (ro.ro_rt)
RTFREE(ro.ro_rt);
first the mtu is saved an the it will be freed.
so:
*) double free? - mtu could be invalid?
*) could also free a flowtable entry?
Mit freundlichen Gruessen,
Ingo Flaschberger
Geschaeftsleitung
____________________________________
crossip communications gmbh
A-1020 Wien, Sebastian Kneipp Gasse 1/3
Sitz der Gesellschaft: 1020 Wien, Oesterreich
Firmenbuchgericht: Handelsgericht Wien, FN 269698 s,
Umsatzsteueridentifikationsnummer (UID): ATU62080367
Haftungsausschluss / Disclaimer <http://www.xip.at/content/view/278/>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LRH.2.00.1104062350520.2152>