Page MenuHomeFreeBSD
Differential D30129

divert: Fix mbuf ownership confusion in div_output()
ClosedPublic
Actions

Authored by markj on May 5 2021, 6:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 5 2024, 7:41 PM
Unknown Object (File)
Oct 5 2024, 4:57 AM
Unknown Object (File)
Oct 4 2024, 4:34 AM
Unknown Object (File)
Oct 3 2024, 12:43 PM
Unknown Object (File)
Oct 3 2024, 9:44 AM
Unknown Object (File)
Oct 2 2024, 10:13 PM
Unknown Object (File)
Oct 2 2024, 7:51 PM
Unknown Object (File)
Oct 2 2024, 7:10 PM
View All 60 Files
Subscribers
donner
imp
melifaro

Details

Reviewers
melifaro
glebius
donner
Group Reviewers
network
Commits
rG22b58630d6ba: divert: Fix mbuf ownership confusion in div_output()
rGeafeee082c50: divert: Fix mbuf ownership confusion in div_output()
rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output()
Summary

div_output_outbound() and div_output_inbound() relied on the caller to
free the mbuf if an error occurred. However, this is contrary to the
semantics of their callees, ip_output(), ip6_output() and
netisr_queue_src(), which always consume the mbuf. So, if one of these
functions returned an error, that would get propagated up to
div_output(), resulting in a double free.

Fix the problem by making div_output_outbound() and div_output_inbound()
responsible for freeing the mbuf in all cases.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.May 5 2021, 6:20 PM
Herald added subscribers: melifaro, imp. · View Herald TranscriptMay 5 2021, 6:20 PM
markj requested review of this revision.May 5 2021, 6:20 PM
Harbormaster completed remote builds in B39034: Diff 88693.May 5 2021, 6:20 PM
markj added reviewers: melifaro, glebius, network.May 5 2021, 6:20 PM
donner added a subscriber: donner.May 5 2021, 6:28 PM
donner added inline comments.
sys/netinet/ip_divert.c
424

Should the comment also be changed?

508

Does ip_output always consume the mbuf, even in the case of an error?

514

Does ip6_output always consume the mbuf, even in the case of an error?

markj marked an inline comment as done.May 5 2021, 6:33 PM
markj added inline comments.
sys/netinet/ip_divert.c
508

Yes. If it succeeds, it hands the mbuf to lower layers, which must dispose of it in some way. Ditto for ip6_output().

markj updated this revision to Diff 88694.May 5 2021, 6:34 PM

Update the comment for div_output_outbound() like I did for
div_output_inbound().

Harbormaster completed remote builds in B39035: Diff 88694.May 5 2021, 6:34 PM
donner accepted this revision as: donner.May 5 2021, 6:44 PM

Okay, the ip*_output functions will always consume the mbuf. I just read the souce

This revision is now accepted and ready to land.May 5 2021, 6:44 PM
avg added a subscriber: avg.May 5 2021, 7:03 PM
avg removed a subscriber: avg.
Closed by commit rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output() (authored by markj). · Explain WhyMay 7 2021, 6:34 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output().
markj added a commit: rGeafeee082c50: divert: Fix mbuf ownership confusion in div_output().May 10 2021, 1:50 PM
markj added a commit: rG22b58630d6ba: divert: Fix mbuf ownership confusion in div_output().May 26 2021, 8:38 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
17 lines

Diff 88857

View Options

sys/netinet/ip_divert.c

Loading...