MFC r179971:

In case of interface initialization failure remove struct in_ifaddr* from in_ifaddrhashtbl in in_ifinit because error handler in in_control removes entries only for AF_INET addresses. If in_ifinit is called for the cloned inteface that has just been created its address family is not AF_INET and therefor LIST_REMOVE is not called for respective LIST_INSERT_HEAD and freed entries remain in in_ifaddrhashtbl and lead to memory corruption. PR: kern/124384 MFC after: 3 weeks
2008-07-19 13:15:51 +00:00 · 2008-07-19 13:15:51 +00:00 · 6761476538
commit 6761476538
parent f48f25f7f6
1 changed files with 8 additions and 0 deletions
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@ -715,6 +715,14 @@ in_ifinit(ifp, ia, sin, scrub)
 			if (ia->ia_addr.sin_family == AF_INET)
 				LIST_INSERT_HEAD(INADDR_HASH(
 				    ia->ia_addr.sin_addr.s_addr), ia, ia_hash);
+			else 
+				/* 
+				 * If oldaddr family is not AF_INET (e.g. 
+				 * interface has been just created) in_control 
+				 * does not call LIST_REMOVE, and we end up 
+				 * with bogus ia entries in hash
+				 */
+				LIST_REMOVE(ia, ia_hash);
 			return (error);
 		}
 	}