summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
authorYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2013-09-20 08:11:56 +0000
committerYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2013-09-20 08:11:56 +0000
commit99bbb4bc02ca966b79bc4158093cdd7cb5fd8251 (patch)
tree3806789e12451ec781b386ebf1ad3a8b98814966 /sys/net
parentafb7822aba1bf8f921ef3e849db309b5b38e1dea (diff)
Fix a panic bug in pipex. If pipex deletes a session by the idle-timer
when the userland program (npppd) is dead or frozen, the session remains in state_list after it is destroyed, it will be used after free.
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/pipex.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 5da7f15bbf4..9c2523e8646 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pipex.c,v 1.42 2013/06/08 14:24:38 yasuoka Exp $ */
+/* $OpenBSD: pipex.c,v 1.43 2013/09/20 08:11:55 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -850,19 +850,22 @@ pipex_timer(void *ignored_arg)
case PIPEX_STATE_CLOSE_WAIT:
case PIPEX_STATE_CLOSE_WAIT2:
+ /* Wait PIPEXDSESSION from userland */
session->stat.idle_time++;
if (session->stat.idle_time < PIPEX_CLOSE_TIMEOUT)
continue;
+
+ if (session->state == PIPEX_STATE_CLOSE_WAIT)
+ LIST_REMOVE(session, state_list);
session->state = PIPEX_STATE_CLOSED;
/* FALLTHROUGH */
+
case PIPEX_STATE_CLOSED:
/*
- * if mbuf which queued pipexinq has
- * session reference pointer, the
- * referenced session must not destroy.
+ * mbuf queued in pipexinq or pipexoutq may have a
+ * refererce to this session.
*/
- if (!IF_IS_EMPTY(&pipexinq) ||
- !IF_IS_EMPTY(&pipexoutq))
+ if (!IF_IS_EMPTY(&pipexinq) || !IF_IS_EMPTY(&pipexoutq))
continue;
pipex_destroy_session(session);