|
Description
|
During Clearview IPMP development, I stumbled on a longstanding
bug in ip_newroute_ipif_v6(): even if the `unspec_src' argument is
set, it will create an IRE with a source address of ipif_v6src_addr.
Since the unspec_src logic is used by IPv6 ND probes, this means
we end up creating IREs with an address that is not yet ours to
use. Also, for what it's worth, it leaves this block of code in
ire_send_v6():
/*
* Special code to support sending a single packet with
* conn_unspec_src using an IRE which has no source address.
* The IRE is deleted here after sending the packet to avoid
* having other code trip on it. But before we delete the
* ire, somebody could have looked up this ire.
* We prevent returning/using this IRE by the upper layers
* by making checks to NULL source address in other places
* like e.g ip_ire_append_v6, ip_ire_req and
* ip_bind_connected_v6. Though, this does not completely
* prevent other threads from using this ire, this should
* not cause any problems.
*/
if (IN6_IS_ADDR_UNSPECIFIED(&ire->ire_src_addr_v6)) {
ip1dbg(("ire_send_v6: delete IRE\n"));
ire_delete(ire);
}
... is effectively unreachable.
|
