From 92356849586f38fcb5583fea6e6bbadf53c00c12 Mon Sep 17 00:00:00 2001 From: claudio Date: Sun, 20 Apr 2014 11:25:18 +0000 Subject: [PATCH] When switching rdomains the sadl needs to be removed and re-added from the RB lookup tree because the rdomain id is part of the lookup key. Without this the RB tree gets corrupted and in the worst case a use after free can happen when the interface is destroyed. Why the sadl addresses are added to the tree in the first place is something to reconsider. OK henning@, mpi@, sthen@ --- sys/net/if.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sys/net/if.c b/sys/net/if.c index 4f7db461410..1786279c13b 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.284 2014/04/19 12:27:59 henning Exp $ */ +/* $OpenBSD: if.c,v 1.285 2014/04/20 11:25:18 claudio Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -1502,6 +1502,11 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) #ifdef INET in_ifdetach(ifp); #endif + /* + * Remove sadl from ifa RB tree because rdomain is part + * of the lookup key and re-add it after the switch. + */ + ifa_del(ifp, ifp->if_lladdr); splx(s); } @@ -1512,6 +1517,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) /* Add interface to the specified rdomain */ ifp->if_rdomain = ifr->ifr_rdomainid; + + /* re-add sadl to the ifa RB tree in new rdomain */ + ifa_add(ifp, ifp->if_lladdr); break; case SIOCAIFGROUP: -- 2.20.1