diff options
author | archie <archie@FreeBSD.org> | 2003-03-05 23:12:59 +0000 |
---|---|---|
committer | archie <archie@FreeBSD.org> | 2003-03-05 23:12:59 +0000 |
commit | cd00a5e4714c42254f8039deac6b2106c10ea2ec (patch) | |
tree | dcfdb95dddbf10c22b77052aafd091a6d7617946 /sys/netgraph/ng_ppp.c | |
parent | 7fd03de4a042e4e58a05cd47a0b7c4aa4fee3f31 (diff) | |
download | FreeBSD-src-cd00a5e4714c42254f8039deac6b2106c10ea2ec.zip FreeBSD-src-cd00a5e4714c42254f8039deac6b2106c10ea2ec.tar.gz |
Fix a use-after-free bug that could cause multi-link fragment reassembly to
fail for a long time (until the incoming sequence numbers wrapped around).
Reported by: Matthew Impett <mimpett@Glue.umd.edu>
MFC after: 3 days
Diffstat (limited to 'sys/netgraph/ng_ppp.c')
-rw-r--r-- | sys/netgraph/ng_ppp.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netgraph/ng_ppp.c b/sys/netgraph/ng_ppp.c index 6ffb082..6dfa4a4 100644 --- a/sys/netgraph/ng_ppp.c +++ b/sys/netgraph/ng_ppp.c @@ -1418,6 +1418,7 @@ ng_ppp_frag_checkstale(node_p node) meta_p meta; int i, seq; item_p item; + int endseq; now.tv_sec = 0; /* uninitialized state */ while (1) { @@ -1468,11 +1469,12 @@ ng_ppp_frag_checkstale(node_p node) } /* Extract completed packet */ + endseq = end->seq; ng_ppp_get_packet(node, &m, &meta); /* Bump MSEQ if necessary */ - if (MP_RECV_SEQ_DIFF(priv, priv->mseq, end->seq) < 0) { - priv->mseq = end->seq; + if (MP_RECV_SEQ_DIFF(priv, priv->mseq, endseq) < 0) { + priv->mseq = endseq; for (i = 0; i < priv->numActiveLinks; i++) { struct ng_ppp_link *const alink = &priv->links[priv->activeLinks[i]]; |