Page MenuHomeFreeBSD
Differential D30129

divert: Fix mbuf ownership confusion in div_output()
ClosedPublic
Actions

Authored by markj on May 5 2021, 6:20 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 23 2024, 2:01 AM
Unknown Object (File)
Feb 14 2024, 4:55 AM
Unknown Object (File)
Dec 20 2023, 5:28 AM
Unknown Object (File)
Dec 13 2023, 12:21 PM
Unknown Object (File)
Oct 6 2023, 3:48 PM
Unknown Object (File)
Sep 6 2023, 12:30 AM
Unknown Object (File)
Sep 3 2023, 2:34 AM
Unknown Object (File)
Sep 3 2023, 2:33 AM
View All 21 Files
Subscribers
donner
imp
melifaro

Details

Reviewers
melifaro
glebius
donner
Group Reviewers
network
Commits
rG22b58630d6ba: divert: Fix mbuf ownership confusion in div_output()
rGeafeee082c50: divert: Fix mbuf ownership confusion in div_output()
rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output()
Summary

div_output_outbound() and div_output_inbound() relied on the caller to
free the mbuf if an error occurred. However, this is contrary to the
semantics of their callees, ip_output(), ip6_output() and
netisr_queue_src(), which always consume the mbuf. So, if one of these
functions returned an error, that would get propagated up to
div_output(), resulting in a double free.

Fix the problem by making div_output_outbound() and div_output_inbound()
responsible for freeing the mbuf in all cases.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 39034
Build 35923: arc lint + arc unit

Event Timeline

markj created this revision.May 5 2021, 6:20 PM
Herald added subscribers: melifaro, imp. · View Herald TranscriptMay 5 2021, 6:20 PM
markj requested review of this revision.May 5 2021, 6:20 PM
Harbormaster completed remote builds in B39034: Diff 88693.May 5 2021, 6:20 PM
markj added reviewers: melifaro, glebius, network.May 5 2021, 6:20 PM
donner added a subscriber: donner.May 5 2021, 6:28 PM
donner added inline comments.
sys/netinet/ip_divert.c
425

Should the comment also be changed?

509

Does ip_output always consume the mbuf, even in the case of an error?

515

Does ip6_output always consume the mbuf, even in the case of an error?

markj marked an inline comment as done.May 5 2021, 6:33 PM
markj added inline comments.
sys/netinet/ip_divert.c
509

Yes. If it succeeds, it hands the mbuf to lower layers, which must dispose of it in some way. Ditto for ip6_output().

markj updated this revision to Diff 88694.May 5 2021, 6:34 PM

Update the comment for div_output_outbound() like I did for
div_output_inbound().

Harbormaster completed remote builds in B39035: Diff 88694.May 5 2021, 6:34 PM
donner accepted this revision as: donner.May 5 2021, 6:44 PM

Okay, the ip*_output functions will always consume the mbuf. I just read the souce

This revision is now accepted and ready to land.May 5 2021, 6:44 PM
avg added a subscriber: avg.May 5 2021, 7:03 PM
avg removed a subscriber: avg.
Closed by commit rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output() (authored by markj). · Explain WhyMay 7 2021, 6:34 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGa1fadf7de25b: divert: Fix mbuf ownership confusion in div_output().
markj added a commit: rGeafeee082c50: divert: Fix mbuf ownership confusion in div_output().May 10 2021, 1:50 PM
markj added a commit: rG22b58630d6ba: divert: Fix mbuf ownership confusion in div_output().May 26 2021, 8:38 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
14 lines

Diff 88693

View Options

sys/netinet/ip_divert.c

Loading...