Re: Possible race in IPv6

[Andrey V. Elsukov]

On 18.03.2015 20:01, Alexandre Martins wrote:
 Dear,
 
 I'm facing some crash around manipulations of IPv6 address.
 
 I already found that the commit 275593 will fix my issue.
 
 However, after some code review, i see a possible race in the function 
 nd6_na_input:
 
 https://svnweb.freebsd.org/base/head/sys/netinet6/nd6_nbr.c?annotate=279676#l750
 
 =-=-=-=-=-=-=-=-=-=
 if (ifa
   (((struct in6_ifaddr *)ifa)-ia6_flags  IN6_IFF_TENTATIVE)) {
  ifa_free(ifa);
  nd6_dad_na_input(ifa);
  goto freeit;
 }
 =-=-=-=-=-=-=-=-=-=
 
 As you can see, the function drop its reference on the address and pass it to 
 nd6_dad_na_input.
 It should be better to release the reference after the call.
 
 What about you?

Hi,

Actually nd6_dad_na_input() uses ifa only for addresses comparison, so
there shouldn't be some negative impact in this race. But for the better
code logic I'll commit this change. Thanks.

-- 
WBR, Andrey V. Elsukov
___
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org

Possible race in IPv6

[Alexandre Martins]

Dear,

I'm facing some crash around manipulations of IPv6 address.

I already found that the commit 275593 will fix my issue.

However, after some code review, i see a possible race in the function 
nd6_na_input:

https://svnweb.freebsd.org/base/head/sys/netinet6/nd6_nbr.c?annotate=279676#l750

=-=-=-=-=-=-=-=-=-=
if (ifa
  (((struct in6_ifaddr *)ifa)-ia6_flags  IN6_IFF_TENTATIVE)) {
 ifa_free(ifa);
 nd6_dad_na_input(ifa);
 goto freeit;
}
=-=-=-=-=-=-=-=-=-=

As you can see, the function drop its reference on the address and pass it to 
nd6_dad_na_input.
It should be better to release the reference after the call.

What about you?

Regards

-- 
Alexandre Martins
STORMSHIELD



smime.p7s
Description: S/MIME cryptographic signature