HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS346530

Fix panic in network stack due to memory use after free in relation to
rS346530
Actions

Description

Fix panic in network stack due to memory use after free in relation to
fragmented packets.

When sending IPv4 and IPv6 fragmented packets and a fragment is lost,
the mbuf making up the fragment will remain in the temporary hashed
fragment list for a while. If the network interface departs before the
so-called slow timeout clears the packet, the fragment causes a panic
when the timeout kicks in due to accessing a freed network interface
structure.

Make sure that when a network device is departing, all hashed IPv4 and
IPv6 fragments belonging to it, get freed.

Backtrace:
panic()
icmp6_reflect()

hlim = ND_IFINFO(m->m_pkthdr.rcvif)->chlim;
^^^^ rcvif->if_afdata[AF_INET6] is NULL.

icmp6_error()
frag6_freef()
frag6_slowtimo()
pfslowtimo()
softclock_call_cc()
softclock()
ithread_loop()

Differential Revision: https://reviews.freebsd.org/D19622
Reviewed by: bz (network), adrian
MFC after: 1 week
Sponsored by: Mellanox Technologies

Details

Provenance
hselaskyAuthored on
Reviewer
bz
Differential Revision
D19622: Fix panic in network stack due memory use after free in relation to fragmented packets
Parents
rS346529: Import patch from D19895 for reworking how CXXSTD is handled
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
head/
sys/
netinet/
netinet6/

rS346530

View Options

head/sys/netinet/ip_reass.c

Loading...
View Options

head/sys/netinet6/frag6.c

Loading...