mirror of
https://github.com/opnsense/src.git
synced 2026-06-11 09:41:03 -04:00
36e15b717e
When a prefix gets deleted from the RIB, dpdk_lpm algo needs to know the nexthop of the "parent" prefix to update its internal state. The glue code, which utilises RIB as a backing route store, uses fib[46]_lookup_rt() for the prefix destination after its deletion to fetch the desired nexthop. This approach does not work when deleting less-specific prefixes with most-specific ones are still present. For example, if 10.0.0.0/24, 10.0.0.0/23 and 10.0.0.0/22 exist in RIB, deleting 10.0.0.0/23 would result in 10.0.0.0/24 being returned as a search result instead of 10.0.0.0/22. This, in turn, results in the failed datastructure update: part of the deleted /23 prefix will still contain the reference to an old nexthop. This leads to the use-after-free behaviour, ending with the eventual crashes. Fix the logic flaw by properly fetching the prefix "parent" via newly-created rt_get_inet[6]_parent() helpers. Differential Revision: https://reviews.freebsd.org/D31546 PR: 256882,256833 MFC after: 1 week |
||
|---|---|---|
| .. | ||
| alpine-hal | ||
| ck | ||
| cloudabi | ||
| dev | ||
| device-tree | ||
| dpdk_rte_lpm | ||
| edk2 | ||
| ena-com | ||
| ipfilter/netinet | ||
| libb2 | ||
| libfdt | ||
| libnv | ||
| libsodium | ||
| ncsw | ||
| ngatm | ||
| octeon-sdk | ||
| openzfs | ||
| pcg-c/include | ||
| rdma/krping | ||
| v4l | ||
| vchiq/interface | ||
| x86emu | ||
| xz-embedded | ||
| zlib | ||
| zstd | ||