Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 8 Aug 2001 09:04:18 +0800
From:      "David Xu" <bsddiy@163.net>
To:        <freebsd-net@FreeBSD.ORG>, <jinmei@isl.rdc.toshiba.co.jp>
Subject:   Re: possible duplicated free in kernel
Message-ID:  <001601c11fa6$0d4ce560$6201a8c0@William>
References:  <y7vvgk082ff.wl@condor.jinmei.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Why don't you  report it via PR?  I suspect most patches will be lost in =
this mailling list.

--
David Xu

----- Original Message -----=20
From: <JINMEI Tatuya / =1B$B?@L@C#:H=1B (B =
<jinmei@isl.rdc.toshiba.co.jp>)>
To: <freebsd-net@FreeBSD.ORG>
Sent: Tuesday, August 07, 2001 8:44 PM
Subject: possible duplicated free in kernel


> (Probably I have to make a PR...,)
>=20
> The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
> has the following code fragment:
>=20
> rip6_output()
> ..
>  freectl:
> if (optp =3D=3D &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
> RTFREE(optp->ip6po_route.ro_rt);
> if (control) {
> if (optp =3D=3D &opt)
> ip6_clearpktopts(optp, 0, -1);
>=20
> Thus, it can call RTFREE inside the function.  However,
> ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:
>=20
> ip6_clearpktopts()
> ..
> if (pktopt->ip6po_route.ro_rt) {
> RTFREE(pktopt->ip6po_route.ro_rt);
> pktopt->ip6po_route.ro_rt =3D NULL;
> }
>=20
> Consequently, optp->ip6po_route.ro_rt can be freed two times,
> unexpectedly.
>=20
> Here is a patch to fix the problem.  Please review it, and merge it
> to the repository (hopefully before 4.4-RELEASE.) if acceptable.
>=20
> Thanks,
>=20
> JINMEI, Tatuya
> Communication Platform Lab.
> Corporate R&D Center, Toshiba Corp.
> jinmei@isl.rdc.toshiba.co.jp
>=20
>=20
> *** raw_ip6.c.orig Tue Aug  7 21:42:30 2001
> --- raw_ip6.c Tue Aug  7 21:42:36 2001
> ***************
> *** 472,479 ****
>   m_freem(m);
>  =20
>    freectl:
> - if (optp =3D=3D &opt && optp->ip6po_rthdr && =
optp->ip6po_route.ro_rt)
> - RTFREE(optp->ip6po_route.ro_rt);
>   if (control) {
>   if (optp =3D=3D &opt)
>   ip6_clearpktopts(optp, 0, -1);
> --- 472,477 ----
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001601c11fa6$0d4ce560$6201a8c0>