Bug 255875 - [PATCH] netpfil/ipfw: Fix a double free in aqm_codel_enqueue
Summary: [PATCH] netpfil/ipfw: Fix a double free in aqm_codel_enqueue
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 13:02 UTC by lylgood
Modified: 2021-05-25 23:23 UTC (History)
2 users (show)

See Also:

Attachments
adds a new label "out" (602 bytes, patch)
2021-05-14 13:02 UTC, lylgood 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 13:02:08 UTC 
Created attachment 224938 [details]
adds a new label "out"

Bug File: sys/netpfil/ipfw/dn_aqm_codel.c

In function aqm_codel_enqueue, it calls m_freem() to free m and goto drop.
But in the drop branch, m is freed again via FREE_PKT(m) at 273, which is a double free bug.

My patch adds a new label "out" and lets execution runs into the out branch after m is freed, to avoid the double free bug.
Comment 1 commit-hook freebsd_committer freebsd_triage 2021-05-18 19:44:51 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b

commit c4a6258d70f73c27d8f0c6233edbcc609791806b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:16 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D30318

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:28:47 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733

commit b14db362bbd20e5a3d97d121c403b72473fdc733
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:09 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-05-25 13:29:54 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83

commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:29:00 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)