diff options
| author | mvs <mvs@cvs.openbsd.org> | 2020-08-04 09:32:06 +0000 |
|---|---|---|
| committer | mvs <mvs@cvs.openbsd.org> | 2020-08-04 09:32:06 +0000 |
| commit | 27bbfbdc14249c84adf91a61c6e7f1beea3f8c8b (patch) | |
| tree | ad840ec723aa13e70b7054442a1c3cdba1af2eab /sys/netinet | |
| parent | 8c5576158f04ff4e479af2a949b042339a0f0c63 (diff) | |
We have `pipexinq' and `pipexoutq' mbuf(9) queues to store pipex(4)
related mbufs. Each mbuf(9) passed to these queues stores the pointer to
corresponding pipex(4) session referenced as `m_pkthdr.ph_cookie'. When
session was destroyed its reference can still be in these queues so we
have use after free issue while pipexintr() dereference it.
I removed `pipexinq', `pipexoutq' and pipexintr(). This not only allows
us to avoid issue described above, but also removes unnecessary context
switch in packet processing. Also it makes code simpler.
ok mpi@ yasuoka@
Diffstat (limited to 'sys/netinet')
0 files changed, 0 insertions, 0 deletions