summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2007-07-04 12:15:54 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2007-07-04 12:15:54 +0000
commit7088ede165ed0929153b76ed225b0977d4183e4a (patch)
tree6c3f4e913b3de8ed5bec7704f7af25cc058312a0 /sys/net
parent0687f59a21523618fe87b866224fd23a763f57a4 (diff)
Fix a use after free crash in in_delmulti(). If a interface is detached
before it is removed from the multicast group in_delmulti() will try to access the no longer available ifp. We invalidate the ifa_ifp back pointer in the ifa in if_detach() now and use the ifa_ifp in in_delmulti() instead of the internal inm_ifp. By doing it this way we know if the interface was removed. This fixes a kernel panic triggered by ospfd and gif(4) tunnels. looks good henning@ reyk@
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/if.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/net/if.c b/sys/net/if.c
index ffd9cb5e874..c1730c44073 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if.c,v 1.163 2007/06/17 21:01:32 henning Exp $ */
+/* $OpenBSD: if.c,v 1.164 2007/07/04 12:15:53 claudio Exp $ */
/* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */
/*
@@ -580,6 +580,7 @@ do { \
if (ifa == ifnet_addrs[ifp->if_index])
continue;
+ ifa->ifa_ifp = NULL;
IFAFREE(ifa);
}
@@ -589,6 +590,7 @@ do { \
if_free_sadl(ifp);
+ ifnet_addrs[ifp->if_index]->ifa_ifp = NULL;
IFAFREE(ifnet_addrs[ifp->if_index]);
ifnet_addrs[ifp->if_index] = NULL;