Page MenuHomeFreeBSD
Differential D17594

rip6_input() inp validation after epoch(9)
ClosedPublic
Actions

Authored by bz on Oct 17 2018, 8:25 AM.
Tags
None
Referenced Files
F105787935: D17594.diff
Fri, Dec 20, 5:11 PM
Unknown Object (File)
Wed, Dec 4, 1:08 AM
Unknown Object (File)
Oct 18 2024, 8:19 PM
Unknown Object (File)
Oct 18 2024, 8:19 PM
Unknown Object (File)
Oct 18 2024, 8:19 PM
Unknown Object (File)
Oct 18 2024, 7:56 PM
Unknown Object (File)
Sep 22 2024, 2:46 AM
Unknown Object (File)
Sep 11 2024, 5:53 PM
View All 43 Files
Subscribers
imp
kbowling
rgrimes
network

Details

Reviewers
mmacy
jtl
markj
gallatin
rwatson
ae
hselasky
rgrimes
Commits
rS339682: rip6_input() inp validation after epoch(9)
Summary

After r335924 rip6_input() needs inp validation to avoid
working on FREED inps.

Apply the relevant bits from r335497, r335501 (rip_input() change)
to the IPv6 counterpart.

PR: 232194

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 20258
Build 19735: arc lint + arc unit

Event Timeline

bz created this revision.Oct 17 2018, 8:25 AM
Herald added a subscriber: imp. · View Herald TranscriptOct 17 2018, 8:25 AM
Harbormaster completed remote builds in B20258: Diff 49247.Oct 17 2018, 8:25 AM
bz added a comment.Oct 23 2018, 9:15 PM

Anyone? I'd love to get this in ...

bz added a reviewer: hselasky.Oct 23 2018, 9:15 PM
rgrimes accepted this revision.Oct 23 2018, 10:50 PM
rgrimes added a subscriber: rgrimes.
In D17594#377572, @bz wrote:

Anyone? I'd love to get this in ...

Are you targetting 12.0 by that statement?

This revision is now accepted and ready to land.Oct 23 2018, 10:50 PM
ae accepted this revision.Oct 24 2018, 6:22 AM
hselasky added inline comments.Oct 24 2018, 8:58 AM
sys/netinet6/raw_ip6.c
299

To protect that "last" is not used after-free, you need to move "INP_INFO_RUNLOCK_ET(&V_ripcbinfo, et)" down to right before the return !?

Remember that the epoch section in this case only protects against freeing the item, and accessing "last" after exiting epoch means you likely will access a freed member.

hselasky added inline comments.Oct 24 2018, 9:17 AM
sys/netinet6/raw_ip6.c
299

I see that the RLOCK() will protect against freeing the item, because in_pcbfree_deferred() takes the WLOCK(). But it would be consider more smart to hold back the release of the epoch() so that in_pcbfree_deferred() doesn't hit a blocked lock?

hselasky accepted this revision.Oct 24 2018, 10:22 AM

The current patch is fine. Moving the epoch_exit() until the end of the function may be considered a future optimisation.

Closed by commit rS339682: rip6_input() inp validation after epoch(9) (authored by bz). · Explain WhyOct 24 2018, 10:42 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
sys/
netinet6/
86 lines

Diff 49247

View Options

sys/netinet6/raw_ip6.c

Loading...