diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-07-04 12:15:54 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-07-04 12:15:54 +0000 |
| commit | 7088ede165ed0929153b76ed225b0977d4183e4a (patch) | |
| tree | 6c3f4e913b3de8ed5bec7704f7af25cc058312a0 /sys/net/if.c | |
| parent | 0687f59a21523618fe87b866224fd23a763f57a4 (diff) | |
Fix a use after free crash in in_delmulti(). If a interface is detached
before it is removed from the multicast group in_delmulti() will try to
access the no longer available ifp.
We invalidate the ifa_ifp back pointer in the ifa in if_detach() now and use
the ifa_ifp in in_delmulti() instead of the internal inm_ifp. By doing it
this way we know if the interface was removed.
This fixes a kernel panic triggered by ospfd and gif(4) tunnels.
looks good henning@ reyk@
Diffstat (limited to 'sys/net/if.c')
| -rw-r--r-- | sys/net/if.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index ffd9cb5e874..c1730c44073 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.163 2007/06/17 21:01:32 henning Exp $ */ +/* $OpenBSD: if.c,v 1.164 2007/07/04 12:15:53 claudio Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -580,6 +580,7 @@ do { \ if (ifa == ifnet_addrs[ifp->if_index]) continue; + ifa->ifa_ifp = NULL; IFAFREE(ifa); } @@ -589,6 +590,7 @@ do { \ if_free_sadl(ifp); + ifnet_addrs[ifp->if_index]->ifa_ifp = NULL; IFAFREE(ifnet_addrs[ifp->if_index]); ifnet_addrs[ifp->if_index] = NULL; |