Bug 24628
| Summary: | if netgraph seriously runs out of queue entries it crashes the kernel | ||
|---|---|---|---|
| Product: | Base System | Reporter: | brandt <brandt> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->closed Fixed in revision 1.54 of src/sys/netgraph/ng_base.c |
The function ng_getqblk() in ng_base.c allocates queue entries. If it fails to allocate one, it drops out of a loop in that function and, just before returning to the caller, tries to clear the NCGF_FREE flag on the entry it is about to return. If the allocation has failed, this will access a NULL pointer. Fix: Replace: item->el_flags &= ~NGQF_FREE; By: if(item) item->el_flags &= ~NGQF_FREE; at the end of ng_getqblk(). How-To-Repeat: Use up all available kernel memory and try to send netgraph messages.