Date: Tue, 07 Aug 2001 21:44:36 +0900 From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp> To: freebsd-net@FreeBSD.ORG Subject: possible duplicated free in kernel Message-ID: <y7vvgk082ff.wl@condor.jinmei.org>
next in thread | raw e-mail | index | archive | help
(Probably I have to make a PR...,)
The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
has the following code fragment:
rip6_output()
...
freectl:
if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
RTFREE(optp->ip6po_route.ro_rt);
if (control) {
if (optp == &opt)
ip6_clearpktopts(optp, 0, -1);
Thus, it can call RTFREE inside the function. However,
ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:
ip6_clearpktopts()
...
if (pktopt->ip6po_route.ro_rt) {
RTFREE(pktopt->ip6po_route.ro_rt);
pktopt->ip6po_route.ro_rt = NULL;
}
Consequently, optp->ip6po_route.ro_rt can be freed two times,
unexpectedly.
Here is a patch to fix the problem. Please review it, and merge it
to the repository (hopefully before 4.4-RELEASE.) if acceptable.
Thanks,
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jinmei@isl.rdc.toshiba.co.jp
*** raw_ip6.c.orig Tue Aug 7 21:42:30 2001
--- raw_ip6.c Tue Aug 7 21:42:36 2001
***************
*** 472,479 ****
m_freem(m);
freectl:
- if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
- RTFREE(optp->ip6po_route.ro_rt);
if (control) {
if (optp == &opt)
ip6_clearpktopts(optp, 0, -1);
--- 472,477 ----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?y7vvgk082ff.wl>