pf kernel crash

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

pf kernel crash

sadegh solati
Hi everyone

I made some modification to the pfioctl for limiting size of data transferred  in a pf rule.
every thing is working  good.
i keep some stats in pf and every 10 seconds i read them by using pfioctl.

this my code:

case DIOCGETQUOTA:  {   //Addeb BY SADEGH SOLATI
        struct pfioc_getquota   *get_quota = (struct pfioc_getquota *)addr;
        struct pf_state         *state;
        struct pfioc_quota_data *p,*quota_data;
        u_int32_t		 nr = 0;
        quota_data=malloc(sizeof(struct pfioc_quota_data), M_TEMP, M_WAITOK);
        p = get_quota->get_quota_data;
        
        
        state = TAILQ_FIRST(&state_list);
        while (state != NULL) {
            if (state->quota>0 && state->direction==PF_IN && state->key[0]->af==AF_INET){
                quota_data->saddr = state->key[0]->addr[0].v4.s_addr; //read needed fields
                quota_data->quota=state->quota;
                quota_data->bytes[0]=state->bytes[0] - state->quota_previous_bytes[0]; //get the diffrence between current and last
                quota_data->bytes[1]=state->bytes[1] - state->quota_previous_bytes[1]; //saw value
                state->quota_previous_bytes[0] =  state->bytes[0];
                state->quota_previous_bytes[1] =  state->bytes[1];
                error = copyout(quota_data, p, sizeof(*p));    //copy filled struct to user space to address ps
                if (error) goto fail;
                p++;//next struct
                nr++;
                state = TAILQ_NEXT(state, entry_list);}
            else state = TAILQ_NEXT(state, entry_list);
        }
        
        
        get_quota->length=nr; //specify how many state was readed
        free(quota_data, M_TEMP, 0);
        break;
    }


the ddb shows that the crash happen in 
 if (state->quota>0 && state->direction==PF_IN && state->key[0]->af==AF_INET)
 
this statement was executed thousand times without problem.

is there any thing wrong with my code??

is it possible two concurrent call to pfioctl leads to this crash?

Thanks 



Loading...