Date: Tue, 07 Aug 2001 21:44:36 +0900 From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp> To: freebsd-net@FreeBSD.ORG Subject: possible duplicated free in kernel Message-ID: <y7vvgk082ff.wl@condor.jinmei.org>
next in thread | raw e-mail | index | archive | help
(Probably I have to make a PR...,) The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c has the following code fragment: rip6_output() ... freectl: if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt) RTFREE(optp->ip6po_route.ro_rt); if (control) { if (optp == &opt) ip6_clearpktopts(optp, 0, -1); Thus, it can call RTFREE inside the function. However, ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE: ip6_clearpktopts() ... if (pktopt->ip6po_route.ro_rt) { RTFREE(pktopt->ip6po_route.ro_rt); pktopt->ip6po_route.ro_rt = NULL; } Consequently, optp->ip6po_route.ro_rt can be freed two times, unexpectedly. Here is a patch to fix the problem. Please review it, and merge it to the repository (hopefully before 4.4-RELEASE.) if acceptable. Thanks, JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp *** raw_ip6.c.orig Tue Aug 7 21:42:30 2001 --- raw_ip6.c Tue Aug 7 21:42:36 2001 *************** *** 472,479 **** m_freem(m); freectl: - if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt) - RTFREE(optp->ip6po_route.ro_rt); if (control) { if (optp == &opt) ip6_clearpktopts(optp, 0, -1); --- 472,477 ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?y7vvgk082ff.wl>