diff options
| author | sam <sam@FreeBSD.org> | 2004-01-20 22:45:10 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2004-01-20 22:45:10 +0000 |
| commit | 0ac3a99bac662e7f27e474770539a21ab8c593bf (patch) | |
| tree | ac4a2f5f2c5d428bf034a6c176f3ea1f11bff957 /sys/netipsec | |
| parent | d37c54b3a91f8ed5e9d94c5e4356f978869d0f7a (diff) | |
| download | FreeBSD-src-0ac3a99bac662e7f27e474770539a21ab8c593bf.zip FreeBSD-src-0ac3a99bac662e7f27e474770539a21ab8c593bf.tar.gz | |
Fix ipip_output() to always set *mp to NULL on failure, even if 'm'
is NULL, otherwise ipsec4_process_packet() may try to m_freem() a
bad pointer.
In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.
Obtained from: netbsd
Diffstat (limited to 'sys/netipsec')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 5 | ||||
| -rw-r--r-- | sys/netipsec/xform_ipip.c | 4 |
2 files changed, 6 insertions, 3 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 8f8c705..c90524b 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -426,8 +426,11 @@ ipsec4_process_packet( error = EFAULT; } if (error) { - if (mp) + if (mp) { + /* XXX: Should never happen! */ m_freem(mp); + } + m = NULL; /* ipip_output() already freed it */ goto bad; } m = mp, mp = NULL; diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index a845322..0f881a1 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -526,7 +526,6 @@ ipip_output( if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); ipipstat.ipips_hdrops++; - *mp = NULL; error = ENOBUFS; goto bad; } @@ -610,7 +609,8 @@ nofamily: return 0; bad: if (m) - m_freem(m), *mp = NULL; + m_freem(m); + *mp = NULL; return (error); } |
