Date: Thu, 24 Jul 2003 11:21:46 -0400 From: Don Bowman <don@sandvine.com> To: "'freesd-ipfw@freebsd.org'" <freesd-ipfw@freebsd.org>, "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: splx() bug in ip_dummynet? Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533702741F83@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
1.24.2.2 of ip_dummynet.c [RELENG_4] has a bug I'm thinking, can someone comment? In the below snippet, the value of 's' from splimp() is overwritten by the return value of alloc_hash(), which is an errno. If its != 0, then there's a missing splx(). If it is == 0, then splx() is called with the wrong value. [i've filed a PR against this, and will probably change the alloc_hash to use a different return value in my tree] s = splimp(); x->bandwidth = p->bandwidth ; x->numbytes = 0; /* just in case... */ bcopy(p->if_name, x->if_name, sizeof(p->if_name) ); x->ifp = NULL ; /* reset interface ptr */ x->delay = p->delay ; set_fs_parms(&(x->fs), pfs); if ( x->fs.rq == NULL ) { /* a new pipe */ s = alloc_hash(&(x->fs), pfs) ; if (s) { free(x, M_DUMMYNET); return s ; } x->next = b ; if (a == NULL) all_pipes = x ; else a->next = x ; } splx(s);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533702741F83>