Re: possible duplicated free in kernel

Tue, 07 Aug 2001 17:40:56 -0700 

Why don't you  report it via PR?  I suspect most patches will be lost in this mailling 
list.

--
David Xu

----- Original Message ----- 
From: <JINMEI Tatuya / $B?@L@C#:H (B <[EMAIL PROTECTED]>)>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 07, 2001 8:44 PM
Subject: possible duplicated free in kernel


> (Probably I have to make a PR...,)
> 
> The latest RELNEG_4 version (rev. 1.7.2.4) of sys/netinet6/raw_ip6.c
> has the following code fragment:
> 
> rip6_output()
> ..
>  freectl:
> if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
> RTFREE(optp->ip6po_route.ro_rt);
> if (control) {
> if (optp == &opt)
> ip6_clearpktopts(optp, 0, -1);
> 
> Thus, it can call RTFREE inside the function.  However,
> ip6_clearpktopts(defined in netinet6/ip6_output.c) also calls RTFREE:
> 
> ip6_clearpktopts()
> ..
> if (pktopt->ip6po_route.ro_rt) {
> RTFREE(pktopt->ip6po_route.ro_rt);
> pktopt->ip6po_route.ro_rt = NULL;
> }
> 
> Consequently, optp->ip6po_route.ro_rt can be freed two times,
> unexpectedly.
> 
> Here is a patch to fix the problem.  Please review it, and merge it
> to the repository (hopefully before 4.4-RELEASE.) if acceptable.
> 
> Thanks,
> 
> JINMEI, Tatuya
> Communication Platform Lab.
> Corporate R&D Center, Toshiba Corp.
> [EMAIL PROTECTED]
> 
> 
> *** raw_ip6.c.orig Tue Aug  7 21:42:30 2001
> --- raw_ip6.c Tue Aug  7 21:42:36 2001
> ***************
> *** 472,479 ****
>   m_freem(m);
>   
>    freectl:
> - if (optp == &opt && optp->ip6po_rthdr && optp->ip6po_route.ro_rt)
> - RTFREE(optp->ip6po_route.ro_rt);
>   if (control) {
>   if (optp == &opt)
>   ip6_clearpktopts(optp, 0, -1);
> --- 472,477 ----
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to