Bug 255880 - [PATCH] netpfil/ipfw: Fix a double free in pie_enqueue
Summary: [PATCH] netpfil/ipfw: Fix a double free in pie_enqueue
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-14 14:19 UTC by lylgood
Modified: 2021-05-25 23:25 UTC (History)
2 users (show)

See Also:


Attachments
avoid the m been freed again (477 bytes, patch)
2021-05-14 14:19 UTC, lylgood
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description lylgood 2021-05-14 14:19:39 UTC
Created attachment 224943 [details]
avoid the m been freed again

Bug File: sys/netpfil/ipfw/dn_sched_fq_pie.c

In function pie_enqueue, m is freed via m_freem() at line 737.
But the freed m is freed again via FREE_PKT() at line 751, which is a double free bug.

My patch returns the allocation error of m_tag_alloc() after m_freem(m), to avoid the m been freed again.
Comment 1 commit-hook freebsd_committer 2021-05-18 19:44:54 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4a6258d70f73c27d8f0c6233edbcc609791806b

commit c4a6258d70f73c27d8f0c6233edbcc609791806b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-18 19:25:16 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D30318

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 2 commit-hook freebsd_committer 2021-05-25 13:28:49 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b14db362bbd20e5a3d97d121c403b72473fdc733

commit b14db362bbd20e5a3d97d121c403b72473fdc733
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:26:09 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)
Comment 3 commit-hook freebsd_committer 2021-05-25 13:29:52 UTC
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83

commit 419a11681c22ce12d3b9a4ab9ab45ff6b7c4ce83
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-05-18 19:22:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-05-25 13:29:00 +0000

    dummynet: Fix mbuf tag allocation failure handling

    PR:             255875, 255878, 255879, 255880
    Reviewed by:    donner, kp
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit c4a6258d70f73c27d8f0c6233edbcc609791806b)

 sys/netpfil/ipfw/dn_aqm_codel.c      | 4 +---
 sys/netpfil/ipfw/dn_aqm_pie.c        | 6 +++---
 sys/netpfil/ipfw/dn_sched_fq_codel.c | 4 +---
 sys/netpfil/ipfw/dn_sched_fq_pie.c   | 6 +++---
 4 files changed, 8 insertions(+), 12 deletions(-)