diff options
| author | green <green@FreeBSD.org> | 2003-11-17 03:17:49 +0000 |
|---|---|---|
| committer | green <green@FreeBSD.org> | 2003-11-17 03:17:49 +0000 |
| commit | fc779a75730f7e46f008a4bf5649eeaf5adba7cf (patch) | |
| tree | 1ee8c939cbd44fe750095adfe0c6be3798857f19 | |
| parent | 1c7581a7316f0b661df3fc8606e212d1ba66404e (diff) | |
| download | FreeBSD-src-fc779a75730f7e46f008a4bf5649eeaf5adba7cf.zip FreeBSD-src-fc779a75730f7e46f008a4bf5649eeaf5adba7cf.tar.gz | |
Fix a few cases where MT_TAG-type "fake mbufs" are created on the stack, but
do not have mh_nextpkt initialized. Somtimes what's there is "1", and the
ip_input() code pukes trying to m_free() it, rendering divert sockets and
such broken.
This really underscores the need to get rid of MT_TAG.
Reviewed by: rwatson
| -rw-r--r-- | sys/netinet/ip_divert.c | 1 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 5b44527..7e939e3 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -284,6 +284,7 @@ div_output(struct socket *so, struct mbuf *m, divert_tag.mh_flags = PACKET_TAG_DIVERT; divert_tag.mh_next = m; divert_tag.mh_data = 0; /* the matching rule # */ + divert_tag.mh_nextpkt = NULL; m->m_pkthdr.rcvif = NULL; /* XXX is it necessary ? */ #ifdef MAC diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index c4764b1..e582864 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -975,6 +975,7 @@ DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ tag.mh_flags = PACKET_TAG_IPFORWARD; tag.mh_data = (caddr_t)args.next_hop; tag.mh_next = m; + tag.mh_nextpkt = NULL; (*inetsw[ip_protox[ip->ip_p]].pr_input)( (struct mbuf *)&tag, hlen); @@ -1922,6 +1923,7 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) tag.mh_flags = PACKET_TAG_IPFORWARD; tag.mh_data = (caddr_t)next_hop; tag.mh_next = m; + tag.mh_nextpkt = NULL; m = (struct mbuf *)&tag; } error = ip_output(m, (struct mbuf *)0, NULL, IP_FORWARDING, 0, NULL); |
