Page MenuHomeFreeBSD

netgraph/ng_checksum: Fix double free error
ClosedPublic

Authored by donner on May 15 2021, 9:38 AM.
Tags
None
Referenced Files
F107379020: D30273.diff
Mon, Jan 13, 7:37 AM
Unknown Object (File)
Dec 12 2024, 1:15 PM
Unknown Object (File)
Dec 3 2024, 5:43 PM
Unknown Object (File)
Nov 13 2024, 8:02 PM
Unknown Object (File)
Nov 5 2024, 3:54 PM
Unknown Object (File)
Nov 5 2024, 12:32 PM
Unknown Object (File)
Oct 2 2024, 6:26 AM
Unknown Object (File)
Sep 30 2024, 3:06 PM

Details

Summary

m_pullup(9) frees the mbuf(9) chain in the case of an allocation error.
The mbuf chain must not be freed again at the end in this case.

PR: 255874
Submitted by: <lylgood@foxmail.com>
MFC after: 1 week

Test Plan

Tested by the submitter.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 39203
Build 36092: arc lint + arc unit

Event Timeline

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

One approach that's used in some places is to pass a struct mbuf ** to the subroutine, and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*() can be modified to always free the mbuf upon failure.

sys/netgraph/ng_checksum.c
686

drop is not really an accurate name for the label now.

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

One approach that's used in some places is to pass a struct mbuf ** to the subroutine,
and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*()
can be modified to always free the mbuf upon failure.

As part of a brushup of this code, yes.
As part of a bug fix, no.

sys/netgraph/ng_checksum.c
686

Not as part of a bugfix.

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

One approach that's used in some places is to pass a struct mbuf ** to the subroutine,
and have the callee set *m = NULL when it frees the mbuf. Alternately, checksum_ip*()
can be modified to always free the mbuf upon failure.

As part of a brushup of this code, yes.
As part of a bug fix, no.

To be clear, what I am proposing there is part of the bug fix, not a cleanup.

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

This is well respected on the caller side:

	error = checksum_ipv*(priv, m, pullup_len);
	if (error == 0)
		goto bypass;
	else if (error == ENOBUFS)
		goto drop;

I don't say, the bug fix could be improved, ...

checksum_ipv4() and checksum_ipv6() may fail without freeing the mbuf. In that case, with the patch the mbuf is leaked.

Can you point to a code line, where this can happen?
I didn't see one.

In checksum_ipv4() we call PULLUP_CHECK() on line 316. PULLUP_CHECK() looks like this:

293 #define PULLUP_CHECK(mbuf, length) do {                                 \                                                                                                 
294         pullup_len += length;                                           \                                                                                                 
295         if (((mbuf)->m_pkthdr.len < pullup_len) ||                      \                                                                                                 
296             (pullup_len > MHLEN)) {                                     \                                                                                                 
297                 return (EINVAL);                                        \                                                                                                 
298         }                                                               \                                                                                                 
299         if ((mbuf)->m_len < pullup_len &&                               \                                                                                                 
300             (((mbuf) = m_pullup((mbuf), pullup_len)) == NULL)) {        \                                                                                                 
301                 return (ENOBUFS);                                       \                                                                                                 
302         }                                                               \                                                                                                 
303 } while (0)

On line 297, we return an error without having freed the mbuf. On line 301 we return an error having freed the mbuf, and the caller of checksum_ipv4() will free the mbuf again. So in the first case, we are now not freeing the mbuf at all.

This is well respected on the caller side:

	error = checksum_ipv*(priv, m, pullup_len);
	if (error == 0)
		goto bypass;
	else if (error == ENOBUFS)
		goto drop;

I don't say, the bug fix could be improved, ...

Sorry, I missed this detail when reading the code. I think the diff is fine.

This revision is now accepted and ready to land.May 16 2021, 5:01 PM
This revision was automatically updated to reflect the committed changes.