We release the reference to the in6_ifaddr but retain a pointer to it.
Copy the address itself, rather than keeping the pointer to fix this.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Details
Details
- Reviewers
- None
- Group Reviewers
network pfsense - Commits
- rG23d8e956fbe2: icmp6: fix use-after-reference-release
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 64347 Build 61231: arc lint + arc unit
Event Timeline
Comment Actions
I think this change is not necessary, but the comment should be revised instead. Is there any issue caused by referencing a released ifa ?
| sys/netinet6/icmp6.c | ||
|---|---|---|
| 2465 | Well, icmp6_redirect_output() is within net epoch section, the following ifa_free() will defer the deallocating, so it is still safe to reference the released ifa. Then this comment is not accurate. | |
| sys/netinet6/icmp6.c | ||
|---|---|---|
| 2465 | That's a good catch. You're correct that this isn't actually going to cause problems, but I'm still inclined to make the change anyway, because it's highly counterintuitive (and might break if we ever change how ifa_free() works). Copying the address is clearly safe, and shouldn't cause anyone else to go chasing phantoms. It's a small amount of extra work, but this is essentially an error path (and is rate limited on line 2434). | |