Date: Thu, 8 Apr 2004 22:44:08 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Julian Elischer <julian@elischer.org> Cc: Julian Elischer <julian@freebsd.org> Subject: Re: ng_bridge(4) has an easily exploitable memory leak Message-ID: <20040408194408.GB1919@ip.net.ua> In-Reply-To: <Pine.BSF.4.21.0404081053540.63085-100000@InterJet.elischer.org> References: <20040408100929.GD16290@ip.net.ua> <Pine.BSF.4.21.0404081053540.63085-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zx4FCpZtqtKETZ7O
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Apr 08, 2004 at 11:42:21AM -0700, Julian Elischer wrote:
> looks good but:
>=20
> + if (destLink =3D=3D firstLink) {=20
> + /*
> + * If we've sent all the others, send the
> original
> + * on the first link we found.
> + */
> + NG_SEND_DATA(error, destLink->hook, m, meta);
> + break; /* always done last - not really
> needed. */
> + } else {
> + NG_SEND_DATA(error, destLink->hook, m2, meta2);
> + }
>=20
>=20
> couldn't this be avoided by previously doing:
>=20
>=20
> + if (linkNum =3D=3D priv->numLinks) {
> + /* If we never saw a good link, leave. */
> + if (firstLink =3D=3D NULL) {
> + NG_FREE_DATA(m, meta);
> + return (0);
> + } =20
> + destLink =3D firstLink;
> ---> m2 =3D m;
> ---> meta2 =3D meta;
> ---> m=3DNULL;
> ---> meta=3DNULL;
> + }
>=20
>=20
> I leave it up to you to decide which you prefer, (but remember that
> NG_SEND_DATA is a macro and expads somewhat.
>=20
> specifically, to (sorry about linewrap):
> #define NG_SEND_DATA(error, hook, m, meta) \
> do {\
> item_p _item; \
> if ((_item =3D ng_package_data((m), (meta)))) {\
> NG_FWD_ITEM_HOOK(error, _item, hook); \
> } else { \
> (error) =3D ENOMEM; \ =20
> }\ =20
> (m) =3D NULL; \
> (meta) =3D NULL; \
> } while (0)
>=20
> where NG_FWD_ITEM_HOOK
> itself expands to:
> #define NG_FWD_ITEM_HOOK(error, item, hook) \
> do { \
> (error) =3D \
> ng_address_hook(NULL, (item), (hook), 0); \
> if (error =3D=3D 0) { \
> SAVE_LINE(item); \
> (error) =3D ng_snd_item((item), 0); \=20
> } \
> (item) =3D NULL; \=20
> } while (0)
> =20
> so only having one of those saves a bit of code.
>=20
Your proposal of course looks good, but remember I was only doing a
porting of _your_ code for MFC, per your request. My whole purpose
of this posting was to go ask you to please MFC your fix which you
mixed with the SMP-related work on Netgraph in rev. 1.8. ;)
Cheers,
--=20
Ruslan Ermilov
ru@FreeBSD.org
FreeBSD committer
--zx4FCpZtqtKETZ7O
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAdauIUkv4P6juNwoRApBSAJsGgp/4vzHUgdMDLVijAWgNOo6KkQCcD3/O
st6JKkGv3SqKh9vH3FexnSA=
=tKhi
-----END PGP SIGNATURE-----
--zx4FCpZtqtKETZ7O--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040408194408.GB1919>