diff options
| author |   mpi <mpi@openbsd.org> | 2015-09-11 14:30:30 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2015-09-11 14:30:30 +0000 |
| commit | eaf16291ea5be5e4a77f39b396bc6a8f905af1b7 (patch) | |
| tree | 0efbf37c2d74a07498ee1d893203d79432a58768 | |
| parent | Remove engine command and parameters from openssl(1). (diff) | |
| download | wireguard-openbsd-eaf16291ea5be5e4a77f39b396bc6a8f905af1b7.tar.xz wireguard-openbsd-eaf16291ea5be5e4a77f39b396bc6a8f905af1b7.zip | |
Increment the reference count of CLONING routes before flushing all
their children to make sure they are still alive after rtfree(9)ing
rt->rt_parent.
Fix a use-after-fruit reported by stsp@
ok claudio@
| -rw-r--r-- | sys/net/route.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/net/route.c b/sys/net/route.c index 19b9b63a817..634f843a19c 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -1,4 +1,4 @@ -/* $OpenBSD: route.c,v 1.233 2015/09/10 17:35:46 dlg Exp $ */ +/* $OpenBSD: route.c,v 1.234 2015/09/11 14:30:30 mpi Exp $ */ /* $NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $ */ /* @@ -825,6 +825,12 @@ rtrequest1(int req, struct rt_addrinfo *info, u_int8_t prio, if (error != 0) return (ESRCH); + /* + * We need to hold a reference to ensure rtflushclone() + * wont free us through rt->rt_parent. + */ + rt->rt_refcnt++; + /* clean up any cloned children */ if ((rt->rt_flags & RTF_CLONING) != 0) rtflushclone(tableid, rt); @@ -840,7 +846,6 @@ rtrequest1(int req, struct rt_addrinfo *info, u_int8_t prio, ifa->ifa_rtrequest(RTM_DELETE, rt); rttrash++; - rt->rt_refcnt++; if (ret_nrt != NULL) *ret_nrt = rt; else |