Fix a crash in tcp_input(), that happens when mbuf has a fwd_tag on it,

but later after processing and freeing the tag, we need to jump back again to the findpcb label. Since the fwd_tag pointer wasn't NULL we tried to process and free the tag for second time. Reported & tested by: Pawel Tyll <ptyll nitronet.pl> MFC after: 3 days
author: glebius <glebius@FreeBSD.org> 2012-12-12 17:41:21 +0000
committer: glebius <glebius@FreeBSD.org> 2012-12-12 17:41:21 +0000
commit: ef158ba46119c99a67d5c166dc971ae0c8eeb914 (patch)
tree: f3aa7fc7cd0d4a782eb11a9368342585ee71a58e /sys/netinet/tcp_input.c
parent: 3d6078315e940dd607810afc7afff58337519ddd (diff)
download: FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.zip
FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 564f792..65a2ed5 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -810,6 +810,7 @@ findpcb:
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
 		m->m_flags &= ~M_IP_NEXTHOP;
+		fwd_tag = NULL;
 	} else if (isipv6) {
 		inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
 		    th->th_sport, &ip6->ip6_dst, th->th_dport,
@@ -847,6 +848,7 @@ findpcb:
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
 		m->m_flags &= ~M_IP_NEXTHOP;
+		fwd_tag = NULL;
 	} else
 		inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
 		    th->th_sport, ip->ip_dst, th->th_dport,
author	glebius <glebius@FreeBSD.org>	2012-12-12 17:41:21 +0000
committer	glebius <glebius@FreeBSD.org>	2012-12-12 17:41:21 +0000
commit	ef158ba46119c99a67d5c166dc971ae0c8eeb914 (patch)
tree	f3aa7fc7cd0d4a782eb11a9368342585ee71a58e /sys/netinet/tcp_input.c
parent	3d6078315e940dd607810afc7afff58337519ddd (diff)
download	FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.zip FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.tar.gz