We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in
ng_apply_item(). There are possible (and I have got one) use-after-free class panics because of it. If hook is specified, require it to be valid at the apply time. The only exceptions are the internal ng_con_part2(), ng_con_part3() and ng_rmhook_part2() functions which are specially made to work with invalid hooks.
This commit is contained in:
parent
d56bc17bce
commit
74c9119d4a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=182995
@ -2365,19 +2365,27 @@ ng_apply_item(node_p node, item_p item, int rw)
|
||||
case NGQF_FN:
|
||||
case NGQF_FN2:
|
||||
/*
|
||||
* We have to implicitly trust the hook,
|
||||
* as some of these are used for system purposes
|
||||
* where the hook is invalid. In the case of
|
||||
* the shutdown message we allow it to hit
|
||||
* In the case of the shutdown message we allow it to hit
|
||||
* even if the node is invalid.
|
||||
*/
|
||||
if ((NG_NODE_NOT_VALID(node))
|
||||
&& (NGI_FN(item) != &ng_rmnode)) {
|
||||
if (NG_NODE_NOT_VALID(node) &&
|
||||
NGI_FN(item) != &ng_rmnode) {
|
||||
TRAP_ERROR();
|
||||
error = EINVAL;
|
||||
NG_FREE_ITEM(item);
|
||||
break;
|
||||
}
|
||||
/* Same is about some internal functions and invalid hook. */
|
||||
if (hook && NG_HOOK_NOT_VALID(hook) &&
|
||||
NGI_FN2(item) != &ng_con_part2 &&
|
||||
NGI_FN2(item) != &ng_con_part3 &&
|
||||
NGI_FN(item) != &ng_rmhook_part2) {
|
||||
TRAP_ERROR();
|
||||
error = EINVAL;
|
||||
NG_FREE_ITEM(item);
|
||||
break;
|
||||
}
|
||||
|
||||
if ((item->el_flags & NGQF_TYPE) == NGQF_FN) {
|
||||
(*NGI_FN(item))(node, hook, NGI_ARG1(item),
|
||||
NGI_ARG2(item));
|
||||
|
Loading…
Reference in New Issue
Block a user