Date: Thu, 24 Jul 2003 11:21:46 -0400 From: Don Bowman <don@sandvine.com> To: "'freesd-ipfw@freebsd.org'" <freesd-ipfw@freebsd.org>, "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: splx() bug in ip_dummynet? Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533702741F83@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
1.24.2.2 of ip_dummynet.c [RELENG_4] has a bug I'm thinking, can someone
comment?
In the below snippet, the value of 's' from splimp() is
overwritten by the return value of alloc_hash(), which is
an errno. If its != 0, then there's a missing splx().
If it is == 0, then splx() is called with the wrong value.
[i've filed a PR against this, and will probably change
the alloc_hash to use a different return value in my tree]
s = splimp();
x->bandwidth = p->bandwidth ;
x->numbytes = 0; /* just in case... */
bcopy(p->if_name, x->if_name, sizeof(p->if_name) );
x->ifp = NULL ; /* reset interface ptr */
x->delay = p->delay ;
set_fs_parms(&(x->fs), pfs);
if ( x->fs.rq == NULL ) { /* a new pipe */
s = alloc_hash(&(x->fs), pfs) ;
if (s) {
free(x, M_DUMMYNET);
return s ;
}
x->next = b ;
if (a == NULL)
all_pipes = x ;
else
a->next = x ;
}
splx(s);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533702741F83>