diff options
author | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2013-09-20 08:11:56 +0000 |
---|---|---|
committer | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2013-09-20 08:11:56 +0000 |
commit | 99bbb4bc02ca966b79bc4158093cdd7cb5fd8251 (patch) | |
tree | 3806789e12451ec781b386ebf1ad3a8b98814966 /sys/net | |
parent | afb7822aba1bf8f921ef3e849db309b5b38e1dea (diff) |
Fix a panic bug in pipex. If pipex deletes a session by the idle-timer
when the userland program (npppd) is dead or frozen, the session remains in
state_list after it is destroyed, it will be used after free.
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/pipex.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c index 5da7f15bbf4..9c2523e8646 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.42 2013/06/08 14:24:38 yasuoka Exp $ */ +/* $OpenBSD: pipex.c,v 1.43 2013/09/20 08:11:55 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -850,19 +850,22 @@ pipex_timer(void *ignored_arg) case PIPEX_STATE_CLOSE_WAIT: case PIPEX_STATE_CLOSE_WAIT2: + /* Wait PIPEXDSESSION from userland */ session->stat.idle_time++; if (session->stat.idle_time < PIPEX_CLOSE_TIMEOUT) continue; + + if (session->state == PIPEX_STATE_CLOSE_WAIT) + LIST_REMOVE(session, state_list); session->state = PIPEX_STATE_CLOSED; /* FALLTHROUGH */ + case PIPEX_STATE_CLOSED: /* - * if mbuf which queued pipexinq has - * session reference pointer, the - * referenced session must not destroy. + * mbuf queued in pipexinq or pipexoutq may have a + * refererce to this session. */ - if (!IF_IS_EMPTY(&pipexinq) || - !IF_IS_EMPTY(&pipexoutq)) + if (!IF_IS_EMPTY(&pipexinq) || !IF_IS_EMPTY(&pipexoutq)) continue; pipex_destroy_session(session); |