Date: Wed, 13 Oct 2010 19:51:51 GMT From: Andrew Boyer <aboyer@averesystems.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/151435: Reference leak in ip_dooptions() Message-ID: <201010131951.o9DJpp4p045647@www.freebsd.org> Resent-Message-ID: <201010132000.o9DK0J5J056418@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 151435 >Category: kern >Synopsis: Reference leak in ip_dooptions() >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 13 20:00:18 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Andrew Boyer >Release: head >Organization: Avere Systems >Environment: N/A >Description: SVN 194760 changed ifa_ifwithaddr() so that it returns a reference along with the ifa. ifa_ifwithaddr_check() was added to simplify things for callers who didn't want to deal with a reference. On line 344 of sys/netinet/ip_options.c, there's a call to ifa_ifwithaddr() that does not store a return value. It looks like it should have been converted to ifa_ifwithaddr_check(). This is only an issue if packets with IPOPT_TS_PRESPEC set are received, so it's not likely been a problem for anyone. >How-To-Repeat: Unknown - found by code review. >Fix: --- sys/netinet/ip_options.c +++ sys/netinet/ip_options.c @@ -341,7 +341,7 @@ dropit: } (void)memcpy(&ipaddr.sin_addr, sin, sizeof(struct in_addr)); - if (ifa_ifwithaddr((SA)&ipaddr) == NULL) + if (ifa_ifwithaddr_check((SA)&ipaddr) == 0) continue; cp[IPOPT_OFFSET] += sizeof(struct in_addr); off += sizeof(struct in_addr); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010131951.o9DJpp4p045647>