diff options
| author | billf <billf@FreeBSD.org> | 2001-08-26 10:09:47 +0000 |
|---|---|---|
| committer | billf <billf@FreeBSD.org> | 2001-08-26 10:09:47 +0000 |
| commit | 01b240a5a720a0046568469357b690c8bdbbe978 (patch) | |
| tree | 7ef544fe4012548605eb384d851efedd0d54f034 /sys/netinet/ip_fw.c | |
| parent | 0dc66a506a5442b8b90fce95c37d7adf03d3d69e (diff) | |
| download | FreeBSD-src-01b240a5a720a0046568469357b690c8bdbbe978.zip FreeBSD-src-01b240a5a720a0046568469357b690c8bdbbe978.tar.gz | |
the IP_FW_GET code in ip_fw_ctl() sizes a buffer to hold information
about rules and dynamic rules. it later fills this buffer with these
rules.
it also takes the opporunity to compare the expiration of the dynamic
rules with the current time and either marks them for deletion or simply
charges the countdown.
unfortunatly it does this all (the sizing, the buffer copying, and the
expiration GC) with no spl protection whatsoever. it was possible for
the dynamic rule(s) to be ripped out from under the request before it
had completed, resulting in corrupt memory dereferencing.
Reviewed by: ps
MFC before: 4.4-RELEASE, hopefully.
Diffstat (limited to 'sys/netinet/ip_fw.c')
| -rw-r--r-- | sys/netinet/ip_fw.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 818e745..e325436 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -1852,6 +1852,7 @@ ip_fw_ctl(struct sockopt *sopt) switch (sopt->sopt_name) { case IP_FW_GET: size = 0 ; + s = splnet(); LIST_FOREACH(fcp, &ip_fw_chain_head, next) size += sizeof(struct ip_fw) ; if (ipfw_dyn_v) { @@ -1896,6 +1897,8 @@ ip_fw_ctl(struct sockopt *sopt) if (last != NULL) last->next = NULL ; } + splx(s); + error = sooptcopyout(sopt, buf, size); FREE(buf, M_TEMP); break; |
