system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-09-22 01:34:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent icmp_reflect() from calling ip_output() with a NULL route

Browse source 
pointer which will then result in the allocated route's reference
count never being decremented.  Just flood ping the localhost and
watch refcnt of the 127.0.0.1 route with netstat(1).

Submitted by:	jayanth

Back out ip_output.c,v 1.143 and ip_mroute.c,v 1.69 that allowed
ip_output() to be called with a NULL route pointer.  The previous
paragraph shows why this was a bad idea in the first place.

MFC after:	0 days
This commit is contained in:
Ruslan Ermilov 2002-03-22 16:45:54 +00:00
parent db51256707
commit e3f406b3c1
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=92960
3 changed files with 8 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
sys/netinet/ip_icmp.c
View file

@ -600,6 +600,8 @@ icmp_reflect(m)
}
t = ip->ip_dst;
ip->ip_dst = ip->ip_src;
ro = &rt;
bzero(ro, sizeof(*ro));
/*
* If the incoming packet was addressed directly to us,
* use dst as the src for the reply. Otherwise (broadcast
@ -620,8 +622,6 @@ icmp_reflect(m)
goto match;
}
}
ro = &rt;
bzero(ro, sizeof(*ro));
ia = ip_rtaddr(ip->ip_dst, ro);
/* We need a route to do anything useful. */
if (ia == NULL) {

3
sys/netinet/ip_mroute.c
View file

@ -1867,6 +1867,7 @@ tbf_send_packet(vifp, m)
{
struct ip_moptions imo;
int error;
static struct route ro;
int s = splnet();
if (vifp->v_flags & VIFF_TUNNEL) {
@ -1885,7 +1886,7 @@ tbf_send_packet(vifp, m)
* should get rejected because they appear to come from
* the loopback interface, thus preventing looping.
*/
error = ip_output(m, (struct mbuf *)0, NULL,
error = ip_output(m, (struct mbuf *)0, &ro,
IP_FORWARDING, &imo);
if (mrtdebug & DEBUG_XMIT)

10
sys/netinet/ip_output.c
View file

@ -123,12 +123,12 @@ ip_output(m0, opt, ro, flags, imo)
struct mbuf *m = m0;
int hlen = sizeof (struct ip);
int len, off, error = 0;
struct route iproute;
struct sockaddr_in *dst;
struct in_ifaddr *ia;
int isbroadcast, sw_csum;
struct in_addr pkt_dst;
#ifdef IPSEC
struct route iproute;
struct socket *so = NULL;
struct secpolicy *sp = NULL;
#endif
@ -189,6 +189,9 @@ ip_output(m0, opt, ro, flags, imo)
#ifdef DIAGNOSTIC
if ((m->m_flags & M_PKTHDR) == 0)
panic("ip_output no HDR");
if (!ro)
panic("ip_output no route, proto = %d",
mtod(m, struct ip *)->ip_p);
#endif
if (opt) {
m = ip_insertoptions(m, opt, &len);
@ -214,11 +217,6 @@ ip_output(m0, opt, ro, flags, imo)
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
}
/* Route packet. */
if (ro == NULL) {
ro = &iproute;
bzero(ro, sizeof(*ro));
}
dst = (struct sockaddr_in *)&ro->ro_dst;
/*
* If there is a cached route,