Tried plumbing a ton of tunnels concurrently today and ran across a
NULL-pointer dereference in tun_rem_tun_byaddr_list().
Keep in mind, all of tunnelling gets rearchitected by Clearview, but any
pre-Clearview users of massive amounts of tunnels (with concurrent plumbing)
will want to exploit this (very tiny) fix.
http://cr.opensolaris.org/~danmcd/6617642/
The bug itself isn't yet available via bugs.opensolaris.org, so briefly:
* Tons of concurrent tunnel plumbs race such that tun_add_byaddr()
may hit its weak collision check and not insert the passed-in tun_t
into any list.
* tun_rem_tun_byaddr_list() assumes the passed-in tun_t is *IN* a
list. It panics with a NULL-pointer otherwise.
* The fix is to make tun_rem_tun_byaddr_list() more resiliant in the
face of uninserted tun_t structures.
* Clearview rewhacks all of tunnelling anyway, so spending cycles on
the possibly-faulty collision check in tun_add_byaddr() isn't a
good use of cycles.
Thanks!
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
