Date: Sat, 28 Jun 2003 21:19:56 -0400 From: Don Bowman <don@sandvine.com> To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org> Subject: using memory after freed in tcp_syncache (syncache_timer()) Message-ID: <FE045D4D9F7AED4CBFF1B3B813C8533702741BE7@mail.sandvine.com>
next in thread | raw e-mail | index | archive | help
syncache_timer()
...
/*
* syncache_respond() may call back into the syncache to
* to modify another entry, so do not obtain the next
* entry on the timer chain until it has completed.
*/
(void) syncache_respond(sc, NULL);
nsc = TAILQ_NEXT(sc, sc_timerq);
tcpstat.tcps_sc_retransmitted++;
TAILQ_REMOVE(&tcp_syncache.timerq[slot], sc, sc_timerq);
so what happens is that syncache_respond() calls ip_output,
which ends up calling ip_input, which ends up doing something
that causes 'sc' to be freed. Now 'sc' is freed, we return
to syncache_timer(), and then we use it in nsc = TAILQ_NEXT(...)
line.
This particular part of the problem was introduced in
1.23 of tcp_syncache.c in response to another bug that i had
found.
Does anyone have a suggestion on a proper fix?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FE045D4D9F7AED4CBFF1B3B813C8533702741BE7>