On 18/04/14(Fri) 18:12, Claudio Jeker wrote: > Bad stuff happens when the ifa lookup tree gets corrupted. > In my case local traffic was suddenly no longer local and was > forwarded to lo0 ad infinitum.
Which lookup exactly? > This was caused by the usage of rdomains and destroing pseudo interfaces. > The sadl address was still in rdomain 0, was therefor not found in the > tree and so you end up with a bad node and a use after free. I'm really interested in this case, because I think that there's no benefit of storing the link-layer addresses in the RB-tree. I believe we could even remove them from the tree, so I'd better fix the code relying this behavior. > The following diff solves this by removing and readding the sadl to the RB > tree when switching rdomain. If you're doing that because of a call to ifa_ifwithaddr() I'd suggest to modify the calling function instead. I'd guess it's ifa_ifwithroute(), isn't it? Since link-layer addresses contain the index of their related interface, I don't see the point of doing a lookup. > > OK? > -- > :wq Claudio > > Index: if.c > =================================================================== > RCS file: /cvs/src/sys/net/if.c,v > retrieving revision 1.283 > diff -u -p -r1.283 if.c > --- if.c 10 Apr 2014 13:47:21 -0000 1.283 > +++ if.c 18 Apr 2014 16:03:11 -0000 > @@ -1515,6 +1580,8 @@ ifioctl(struct socket *so, u_long cmd, c > #ifdef INET > in_ifdetach(ifp); > #endif > + /* remove sadl from ifa RB tree */ > + ifa_del(ifp, ifp->if_lladdr); > splx(s); > } > > @@ -1525,6 +1592,9 @@ ifioctl(struct socket *so, u_long cmd, c > > /* Add interface to the specified rdomain */ > ifp->if_rdomain = ifr->ifr_rdomainid; > + > + /* re-add sadl to the ifa RB tree in new rdomain */ > + ifa_add(ifp, ifp->if_lladdr); > break; > > case SIOCAIFGROUP: >