Bug 255879

Summary:

[PATCH] netpfil/ipfw: Fix a double free in codel_enqueue

Product:

Base System

Reporter:

lylgood

Component:

kern

Assignee:

Mark Johnston <markj>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

freebsd.68fba, ipfw, markj

Priority:

---

Version:

CURRENT

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
removes the redundant m_freem() in drop branch.	none

Description lylgood 2021-05-14 14:13:40 UTC

Created attachment 224942 [details]
removes the redundant m_freem() in drop branch.

Bug File: sys/netpfil/ipfw/dn_sched_fq_codel.c

In function codel_enqueue, m is freed via m_freem() at line 193.
But the freed m is freed again in the drop branch via m_freem() at line 205, which is a double free bug.

My patch removes the redundant m_freem() in drop branch.

Comment 1 commit-hook freebsd_committer

2021-05-18 19:44:53 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b

commit c4a6258d70f73c27d8f0c6233edbcc609791806b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:16 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D30318

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)

Comment 2 commit-hook freebsd_committer

2021-05-25 13:28:51 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733

commit b14db362bbd20e5a3d97d121c403b72473fdc733
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:09 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)

Comment 3 commit-hook freebsd_committer

2021-05-25 13:29:55 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83

commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:29:00 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)