4.2 raw_usrreq() reuses freed route
rws at Mit-Bold.ARPA
rws at Mit-Bold.ARPA
Thu Mar 22 11:41:17 AEST 1984
From: Robert W. Scheifler <rws at Mit-Bold.ARPA>
Description:
When raw_usrreq() frees a route in the process of sending a packet,
it doesn't zero the pointer to the route. This results in freeing
the route multiple times, and in using that route for the duration,
as all subsequent rtalloc's become no-ops (see the /* XXX */ comment
in rtalloc).
Repeat-By:
Use one socket to send raw packets that need different routes;
many packets won't go where they are supposed to go.
Fix:
In raw_usrreq(), under case PRU_SEND, change
if (rp->rcb_route.ro_rt)
rtfree(rp->rcb_route.ro_rt);
to
if (rp->rcb_route.ro_rt) {
RTFREE(rp->rcb_route.ro_rt);
rp->rcb_route.ro_rt = NULL;
}
More information about the Comp.unix.wizards
mailing list