diff options
author | glebius <glebius@FreeBSD.org> | 2012-12-12 17:41:21 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2012-12-12 17:41:21 +0000 |
commit | ef158ba46119c99a67d5c166dc971ae0c8eeb914 (patch) | |
tree | f3aa7fc7cd0d4a782eb11a9368342585ee71a58e /sys/netinet/tcp_input.c | |
parent | 3d6078315e940dd607810afc7afff58337519ddd (diff) | |
download | FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.zip FreeBSD-src-ef158ba46119c99a67d5c166dc971ae0c8eeb914.tar.gz |
Fix a crash in tcp_input(), that happens when mbuf has a fwd_tag on it,
but later after processing and freeing the tag, we need to jump back again
to the findpcb label. Since the fwd_tag pointer wasn't NULL we tried to
process and free the tag for second time.
Reported & tested by: Pawel Tyll <ptyll nitronet.pl>
MFC after: 3 days
Diffstat (limited to 'sys/netinet/tcp_input.c')
-rw-r--r-- | sys/netinet/tcp_input.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 564f792..65a2ed5 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -810,6 +810,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, @@ -847,6 +848,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, |