>Number:         10351
>Category:       kern
>Synopsis:       arplookup reentrancy problem (+fix)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 13 01:05:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Zdenek Salvet
>Release:        1.4.2
>Organization:
Institute of Computer Science of Masaryk University, Brno, Czech Republic
>Environment:

>Description:
  arplookup() can be interrupted by NIC interrupt and reentered via
  ipflow fast forwarding. Unresolved arptab entry manipulation
  is not properly protected.
>How-To-Repeat:
  simulate IP traffic such that multiple flows use the same next hop,
  some of them hit in the flow cache, some of them not,
  then let the arptab entry expire 
>Fix:
--- ../../../netinet/if_arp.c.orig      Tue Jun 13 09:35:41 2000
+++ ../../../netinet/if_arp.c   Tue Jun 13 09:45:43 2000
@@ -403,6 +403,7 @@
 {
        register struct llinfo_arp *la;
        struct sockaddr_dl *sdl;
+       int s;
 
        if (rt)
                la = (struct llinfo_arp *)rt->rt_llinfo;
@@ -431,9 +432,11 @@
         * response yet.  Replace the held mbuf with this
         * latest one.
         */
+       s = splnet();
        if (la->la_hold)
                m_freem(la->la_hold);
        la->la_hold = m;
+
        /*
         * Re-send the ARP request when appropriate.
         */
@@ -461,6 +464,7 @@
                        }
                }
        }
+       splx(s);
        return (0);
 }
 

>Release-Note:
>Audit-Trail:
>Unformatted: