DragonFly submit List (threaded) for 2004-12
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

sys/netinet6/in6_rmx.c: fix a double-free bug

From:	Hiroki Sato <hrs@xxxxxxxxxx>
Date:	Tue, 28 Dec 2004 19:31:59 +0900 (JST)

Hi,

 Here is a patch from KAME to fix a double-free bug when
 net.inet[6].ip[6].rtexpire=0.

Fix a double-free bug when net.inet[6].ip[6].rtexpire=0.

Obtained from:	KAME (via FreeBSD, in6_rmx.c:1.1.2.3->1.1.2.4)

Index: in6_rmx.c
===================================================================
RCS file: /cvs/src/sys/netinet6/in6_rmx.c,v
retrieving revision 1.8
diff -d -u -I\$FreeBSD:.*\$ -I\$NetBSD:.*\$ -I\$OpenBSD:.*\$ -I\$DragonFly:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.8 in6_rmx.c
--- in6_rmx.c	21 Dec 2004 02:54:47 -0000	1.8
+++ in6_rmx.c	28 Dec 2004 09:59:36 -0000
@@ -276,10 +276,16 @@
 		rt->rt_flags |= RTPRF_OURS;
 		rt->rt_rmx.rmx_expire = time_second + rtq_reallyold;
 	} else {
+		struct rtentry *dummy;
+
+		/*
+		 * rtrequest() would recursively call rtfree() without the
+		 * dummy entry argument, causing duplicated free.
+		 */
 		rtrequest(RTM_DELETE,
 			  (struct sockaddr *)rt_key(rt),
 			  rt->rt_gateway, rt_mask(rt),
-			  rt->rt_flags, 0);
+			  rt->rt_flags, &dummy);
 	}
 }

Attachment: pgp00021.pgp
Description: PGP signature

Follow-Ups:
- Re: sys/netinet6/in6_rmx.c: fix a double-free bug
  - From: Jeffrey Hsu

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]