Re: Prevent memory corruption by pipex_timer()

Fri, 27 Mar 2020 05:59:01 -0700 

On Fri, Mar 27, 2020 at 10:43:52AM +0100, Martin Pieuchot wrote:
> Do you have a backtrace for the memory corruption?  Could you share it?
Yes. Apply path below, compile and run code, and when you had see
"pipex_session ... killed" kill this code. Screenshot attached.
STABLE-6.[56] are affected too.

---- cut begin ----

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <stdio.h>
#include <err.h>
#include <fcntl.h>
#include <string.h>

#include <arpa/inet.h>
#include <netinet/in.h>
#include <net/if.h>
#include <net/pipex.h>

int main(void)
{
        int fd;
        struct pipex_session_req req;

        if((fd=open("/dev/pppx0", O_RDWR))<0){
                err(1, "open()");
        }

        memset(&req, 0, sizeof(req));

        req.pr_timeout_sec=0;

        req.pr_protocol=PIPEX_PROTO_L2TP;
        req.pr_local_address.ss_family=AF_INET;
        req.pr_local_address.ss_len=sizeof(struct sockaddr_in);
        req.pr_peer_address.ss_family=AF_INET;
        req.pr_peer_address.ss_len=sizeof(struct sockaddr_in);

        if(ioctl(fd, PIPEXASESSION, &req)<0){
                err(1, "ioctl()");
        }

        select(0, NULL, NULL, NULL, NULL);

        return 0;
}

---- cut end ----

Index: sys/net/if_pppx.c
===================================================================
RCS file: /cvs/src/sys/net/if_pppx.c,v
retrieving revision 1.77
diff -u -p -r1.77 if_pppx.c
--- sys/net/if_pppx.c   26 Mar 2020 16:50:46 -0000      1.77
+++ sys/net/if_pppx.c   27 Mar 2020 12:02:33 -0000
@@ -665,6 +665,12 @@ pppx_add_session(struct pppx_dev *pxd, s
        struct ifnet *over_ifp = NULL;
 #endif
 
+#if 0
+       /* XXX: prevent pxi destruction by pipex_timer() */
+       if (req->pr_timeout_sec != 0)
+               return (EINVAL);
+#endif
+
        switch (req->pr_protocol) {
 #ifdef PIPEX_PPPOE
        case PIPEX_PROTO_PPPOE:
@@ -706,6 +712,11 @@ pppx_add_session(struct pppx_dev *pxd, s
        pxi = pool_get(pppx_if_pl, PR_WAITOK | PR_ZERO);
        if (pxi == NULL)
                return (ENOMEM);
+       
+#if 1
+       printf("%s: new pppx_if pipex_session %p timeout %u\n",
+               __func__, &pxi->pxi_session, req->pr_timeout_sec);
+#endif
 
        session = &pxi->pxi_session;
        ifp = &pxi->pxi_if;
Index: sys/net/pipex.c
===================================================================
RCS file: /cvs/src/sys/net/pipex.c,v
retrieving revision 1.109
diff -u -p -r1.109 pipex.c
--- sys/net/pipex.c     26 Mar 2020 16:50:46 -0000      1.109
+++ sys/net/pipex.c     27 Mar 2020 12:02:34 -0000
@@ -767,6 +767,10 @@ pipex_timer(void *ignored_arg)
                        session->stat.idle_time++;
                        if (session->stat.idle_time < session->timeout_sec)
                                continue;
+#if 1
+                       printf("%s: pipex_session %p timeout\n",
+                               __func__, session);
+#endif
 
                        pipex_notify_close_session(session);
                        break;
@@ -792,6 +796,10 @@ pipex_timer(void *ignored_arg)
                                continue;
 
                        pipex_destroy_session(session);
+#if 1
+                       printf("%s: pipex_session %p killed\n",
+                               __func__, session);
+#endif
                        break;
 
                default:

Reply via email to