mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-16 15:11:52 +00:00
Code Issues Releases Activity

In several cases in ip_output() we obtain reference on ifa. Do not

Browse Source 
leak it.

Together with:	asomers, np
Sponsored by:	Nginx, Inc.
This commit is contained in:
Gleb Smirnoff 2014-07-09 07:48:05 +00:00
parent 409a3c1383
commit fe82cbe85c
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=268450
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sys/netinet/ip_output.c
View File

@ -136,6 +136,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
struct rtentry *rte; /* cache for ro->ro_rt */
struct in_addr odst;
struct m_tag *fwd_tag = NULL;
int have_ia_ref;
#ifdef IPSEC
int no_route_but_check_spd = 0;
#endif
@ -202,6 +203,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
gw = dst = (struct sockaddr_in *)&ro->ro_dst;
again:
ia = NULL;
have_ia_ref = 0;
/*
* If there is a cached route, check that it is to the same
* destination and is still up. If not, free it and try again.
@ -238,6 +240,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
error = ENETUNREACH;
goto bad;
}
have_ia_ref = 1;
ip->ip_dst.s_addr = INADDR_BROADCAST;
dst->sin_addr = ip->ip_dst;
ifp = ia->ia_ifp;
@ -250,6 +253,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
error = ENETUNREACH;
goto bad;
}
have_ia_ref = 1;
ifp = ia->ia_ifp;
ip->ip_ttl = 1;
isbroadcast = in_broadcast(dst->sin_addr, ifp);
@ -261,6 +265,8 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
*/
ifp = imo->imo_multicast_ifp;
IFP_TO_IA(ifp, ia);
if (ia)
have_ia_ref = 1;
isbroadcast = 0; /* fool gcc */
} else {
/*
@ -552,8 +558,11 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
#endif
error = netisr_queue(NETISR_IP, m);
goto done;
} else
} else {
if (have_ia_ref)
ifa_free(&ia->ia_ifa);
goto again; /* Redo the routing table lookup. */
}
}
/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
@ -582,6 +591,8 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
m->m_flags |= M_SKIP_FIREWALL;
m->m_flags &= ~M_IP_NEXTHOP;
m_tag_delete(m, fwd_tag);
if (have_ia_ref)
ifa_free(&ia->ia_ifa);
goto again;
}
@ -694,6 +705,8 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
done:
if (ro == &iproute)
RO_RTFREE(ro);
if (have_ia_ref)
ifa_free(&ia->ia_ifa);
return (error);
bad:
m_freem(m);