Date: Thu, 8 Apr 2004 22:44:08 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Julian Elischer <julian@elischer.org> Cc: Julian Elischer <julian@freebsd.org> Subject: Re: ng_bridge(4) has an easily exploitable memory leak Message-ID: <20040408194408.GB1919@ip.net.ua> In-Reply-To: <Pine.BSF.4.21.0404081053540.63085-100000@InterJet.elischer.org> References: <20040408100929.GD16290@ip.net.ua> <Pine.BSF.4.21.0404081053540.63085-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zx4FCpZtqtKETZ7O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 08, 2004 at 11:42:21AM -0700, Julian Elischer wrote: > looks good but: >=20 > + if (destLink =3D=3D firstLink) {=20 > + /* > + * If we've sent all the others, send the > original > + * on the first link we found. > + */ > + NG_SEND_DATA(error, destLink->hook, m, meta); > + break; /* always done last - not really > needed. */ > + } else { > + NG_SEND_DATA(error, destLink->hook, m2, meta2); > + } >=20 >=20 > couldn't this be avoided by previously doing: >=20 >=20 > + if (linkNum =3D=3D priv->numLinks) { > + /* If we never saw a good link, leave. */ > + if (firstLink =3D=3D NULL) { > + NG_FREE_DATA(m, meta); > + return (0); > + } =20 > + destLink =3D firstLink; > ---> m2 =3D m; > ---> meta2 =3D meta; > ---> m=3DNULL; > ---> meta=3DNULL; > + } >=20 >=20 > I leave it up to you to decide which you prefer, (but remember that > NG_SEND_DATA is a macro and expads somewhat. >=20 > specifically, to (sorry about linewrap): > #define NG_SEND_DATA(error, hook, m, meta) \ > do {\ > item_p _item; \ > if ((_item =3D ng_package_data((m), (meta)))) {\ > NG_FWD_ITEM_HOOK(error, _item, hook); \ > } else { \ > (error) =3D ENOMEM; \ =20 > }\ =20 > (m) =3D NULL; \ > (meta) =3D NULL; \ > } while (0) >=20 > where NG_FWD_ITEM_HOOK > itself expands to: > #define NG_FWD_ITEM_HOOK(error, item, hook) \ > do { \ > (error) =3D \ > ng_address_hook(NULL, (item), (hook), 0); \ > if (error =3D=3D 0) { \ > SAVE_LINE(item); \ > (error) =3D ng_snd_item((item), 0); \=20 > } \ > (item) =3D NULL; \=20 > } while (0) > =20 > so only having one of those saves a bit of code. >=20 Your proposal of course looks good, but remember I was only doing a porting of _your_ code for MFC, per your request. My whole purpose of this posting was to go ask you to please MFC your fix which you mixed with the SMP-related work on Netgraph in rev. 1.8. ;) Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --zx4FCpZtqtKETZ7O Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAdauIUkv4P6juNwoRApBSAJsGgp/4vzHUgdMDLVijAWgNOo6KkQCcD3/O st6JKkGv3SqKh9vH3FexnSA= =tKhi -----END PGP SIGNATURE----- --zx4FCpZtqtKETZ7O--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040408194408.GB1919>