Page MenuHomeFreeBSD
Differential D30273

netgraph/ng_checksum: Fix double free error
ClosedPublic
Actions

Authored by donner on May 15 2021, 9:38 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Apr 21, 9:00 PM
Unknown Object (File)
Jan 16 2024, 4:24 AM
Unknown Object (File)
Dec 23 2023, 12:14 AM
Unknown Object (File)
Oct 13 2023, 12:42 PM
Unknown Object (File)
Sep 9 2023, 3:40 PM
Unknown Object (File)
Aug 8 2023, 12:08 AM
Unknown Object (File)
Aug 4 2023, 9:23 PM
Unknown Object (File)
Jul 13 2023, 6:39 AM
View All 16 Files
Subscribers
imp
melifaro
Contributor Reviews (src)

Details

Reviewers
markj
afedorov
Group Reviewers
network
Commits
rG6bc3535519f7: netgraph/ng_checksum: Fix double free error
rG76b96a4ec7fa: netgraph/ng_checksum: Fix double free error
rGfa670efa25ad: netgraph/ng_checksum: Fix double free error
rG687e510e5ce3: netgraph/ng_checksum: Fix double free error
Summary

m_pullup(9) frees the mbuf(9) chain in the case of an allocation error.
The mbuf chain must not be freed again at the end in this case.

PR: 255874
Submitted by: <lylgood@foxmail.com>
MFC after: 1 week

Test Plan

Tested by the submitter.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

donner created this revision.May 15 2021, 9:38 AM
Herald added subscribers: Contributor Reviews (src), melifaro, imp. · View Herald TranscriptMay 15 2021, 9:38 AM
donner requested review of this revision.May 15 2021, 9:38 AM
Harbormaster completed remote builds in B39203: Diff 89258.May 15 2021, 9:38 AM
donner added reviewers: network, markj, afedorov.May 15 2021, 9:45 AM
markj added a comment.May 15 2021, 3:25 PM

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

One approach that's used in some places is to pass a struct mbuf ** to the subroutine, and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*() can be modified to always free the mbuf upon failure.

sys/netgraph/ng_checksum.c
686

drop is not really an accurate name for the label now.

donner added a comment.May 15 2021, 4:26 PM
In D30273#680113, @markj wrote:

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

One approach that's used in some places is to pass a struct mbuf ** to the subroutine,
and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*()
can be modified to always free the mbuf upon failure.

As part of a brushup of this code, yes.
As part of a bug fix, no.

sys/netgraph/ng_checksum.c
686

Not as part of a bugfix.

markj added a comment.May 15 2021, 4:59 PM
In D30273#680142, @donner wrote:
In D30273#680113, @markj wrote:

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

markj added a comment.May 15 2021, 5:15 PM
In D30273#680142, @donner wrote:
In D30273#680113, @markj wrote:

One approach that's used in some places is to pass a struct mbuf ** to the subroutine,
and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*()
can be modified to always free the mbuf upon failure.

As part of a brushup of this code, yes.
As part of a bug fix, no.

To be clear, what I am proposing there is part of the bug fix, not a cleanup.

donner added a comment.May 15 2021, 6:57 PM
In D30273#680148, @markj wrote:
In D30273#680142, @donner wrote:
In D30273#680113, @markj wrote:

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

This is well respected on the caller side:

	error = checksum_ipv*(priv, m, pullup_len);
	if (error == 0)
		goto bypass;
	else if (error == ENOBUFS)
		goto drop;

I don't say, the bug fix could be improved, ...

markj accepted this revision.May 16 2021, 5:01 PM
In D30273#680188, @donner wrote:
In D30273#680148, @markj wrote:
In D30273#680142, @donner wrote:
In D30273#680113, @markj wrote:

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

This is well respected on the caller side:

	error = checksum_ipv*(priv, m, pullup_len);
	if (error == 0)
		goto bypass;
	else if (error == ENOBUFS)
		goto drop;

I don't say, the bug fix could be improved, ...

Sorry, I missed this detail when reading the code. I think the diff is fine.

This revision is now accepted and ready to land.May 16 2021, 5:01 PM
Closed by commit rG687e510e5ce3: netgraph/ng_checksum: Fix double free error (authored by donner). · Explain WhyMay 16 2021, 5:41 PM
This revision was automatically updated to reflect the committed changes.
donner added a commit: rG687e510e5ce3: netgraph/ng_checksum: Fix double free error.
donner added a commit: rGfa670efa25ad: netgraph/ng_checksum: Fix double free error.May 23 2021, 12:56 PM
donner added a commit: rG76b96a4ec7fa: netgraph/ng_checksum: Fix double free error.May 23 2021, 12:59 PM
donner added a commit: rG6bc3535519f7: netgraph/ng_checksum: Fix double free error.May 23 2021, 1:03 PM

Revision Contents
Changeset List

PathSize
sys/
netgraph/
2 lines

Diff 89304

View Options

sys/netgraph/ng_checksum.c

Loading...