Summary: | [PATCH] netpfil/ipfw: Fix a double free in aqm_codel_enqueue | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | lylgood | ||||
Component: | kern | Assignee: | Mark Johnston <markj> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | ipfw, markj | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b commit c4a6258d70f73c27d8f0c6233edbcc609791806b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-18 19:25:16 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30318 sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733 commit b14db362bbd20e5a3d97d121c403b72473fdc733 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:26:09 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-05-18 19:22:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-05-25 13:29:00 +0000 dummynet: Fix mbuf tag allocation failure handling PR: 255875, 255878, 255879, 255880 Reviewed by: donner, kp Sponsored by: The FreeBSD Foundation (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b) sys/netpfil/ipfw/dn_aqm_codel.c | 4 +--- sys/netpfil/ipfw/dn_aqm_pie.c | 6 +++--- sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +--- sys/netpfil/ipfw/dn_sched_fq_pie.c | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) |
Created attachment 224938 [details] adds a new label "out" Bug File: sys/netpfil/ipfw/dn_aqm_codel.c In function aqm_codel_enqueue, it calls m_freem() to free m and goto drop. But in the drop branch, m is freed again via FREE_PKT(m) at 273, which is a double free bug. My patch adds a new label "out" and lets execution runs into the out branch after m is freed, to avoid the double free bug.