Work around a race in bpfread() by validating the hold buffer pointer

before freeing it. Otherwise, we can lose a buffer and cause a panic
in catchpacket().
This commit is contained in:
Guy Helmer 2012-11-06 21:07:04 +00:00
parent 274b95d3ac
commit 0e8a1cb3c9

View File

@ -954,10 +954,13 @@ bpfread(struct cdev *dev, struct uio *uio, int ioflag)
error = bpf_uiomove(d, d->bd_hbuf, d->bd_hlen, uio);
BPFD_LOCK(d);
d->bd_fbuf = d->bd_hbuf;
d->bd_hbuf = NULL;
d->bd_hlen = 0;
bpf_buf_reclaimed(d);
if (d->bd_hbuf != NULL) {
/* Free the hold buffer only if it is still valid. */
d->bd_fbuf = d->bd_hbuf;
d->bd_hbuf = NULL;
d->bd_hlen = 0;
bpf_buf_reclaimed(d);
}
BPFD_UNLOCK(d);
return (error);