Fix possible NULL pointer dereference.

bpf_mtap() can invoke catchpacket() for already detached descriptor. And this can lead to NULL pointer dereference, since bd_bif pointer was reset to NULL in bpf_detachd_locked(). To avoid this, use NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors list. After the wait it is safe to modify descriptor's content. Submitted by: kib Reported by: slavash MFC after: 1 week
2019-05-27 12:41:41 +00:00 · 2019-05-27 12:41:41 +00:00 · 48d24993fc
commit 48d24993fc
parent 3b821c79f1
1 changed files with 7 additions and 2 deletions
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp)
 	/* Check if descriptor is attached */
 	if ((bp = d->bd_bif) == NULL)
 		return;
+	/*
+	 * Remove d from the interface's descriptor list.
+	 * And wait until bpf_[m]tap*() will finish their possible work
+	 * with descriptor.
+	 */
+	CK_LIST_REMOVE(d, bd_next);
+	NET_EPOCH_WAIT();

 	BPFD_LOCK(d);
-	/* Remove d from the interface's descriptor list. */
-	CK_LIST_REMOVE(d, bd_next);
 	/* Save bd_writer value */
 	error = d->bd_writer;
 	ifp = bp->bif_ifp;