Permalink
Browse files

Prevent a NULL derefernce in ip_output().

A race can happen if a task, like the watchog, sleeps too long keeping
an ifp reference while the interface is detached.  In this case a TCP
timer will try to send packets with a cached route.  Since the ifp is
being detached if_get(9) returns NULL.

Found the hardway by awolk@.

ok bluhm@
  • Loading branch information...
mpieuchot committed Sep 4, 2016
1 parent d33d553 commit 4d41e84f22919c3b9223ad731df0ecadb83398be
Showing with 5 additions and 1 deletion.
  1. +5 −1 sys/netinet/ip_output.c
View
@@ -1,4 +1,4 @@
/* $OpenBSD: ip_output.c,v 1.326 2016/08/15 11:35:25 dlg Exp $ */
/* $OpenBSD: ip_output.c,v 1.327 2016/09/04 17:18:56 mpi Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -214,6 +214,10 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, int flags,
ifp = if_get(lo0ifidx);
else
ifp = if_get(ro->ro_rt->rt_ifidx);
if (ifp == NULL) {
error = EHOSTUNREACH;
goto bad;
}
if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0)
mtu = ifp->if_mtu;

0 comments on commit 4d41e84

Please sign in to comment.