diff options
| author | sam <sam@FreeBSD.org> | 2003-09-30 04:46:08 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2003-09-30 04:46:08 +0000 |
| commit | d1d4c947ce1dc00069d3ebc7667f42ebd15add02 (patch) | |
| tree | e69e397b08ceb0859fe952a0aca6ef40dc00ff1d /sys | |
| parent | 8a599ca7c0982d2714c3a7d8fd2553f6367d3208 (diff) | |
| download | FreeBSD-src-d1d4c947ce1dc00069d3ebc7667f42ebd15add02.zip FreeBSD-src-d1d4c947ce1dc00069d3ebc7667f42ebd15add02.tar.gz | |
Correct pfil_run_hooks return handling: if the return value is non-zero
then the mbuf has been consumed by a hook; otherwise beware of a null
mbuf return (gack). In particular the bridge was doing the wrong thing.
While in the ipv6 code make it's handling of pfil_run_hooks identical
to netbsd.
Pointed out by: Pyun YongHyeon <yongari@kt-is.co.kr>
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/bridge.c | 8 | ||||
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 10 | ||||
| -rw-r--r-- | sys/netinet6/ip6_output.c | 7 |
3 files changed, 11 insertions, 14 deletions
diff --git a/sys/net/bridge.c b/sys/net/bridge.c index d0fa2d9..5864a6f 100644 --- a/sys/net/bridge.c +++ b/sys/net/bridge.c @@ -1020,13 +1020,11 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst) ip->ip_off = ntohs(ip->ip_off); if (pfil_run_hooks(&inet_pfil_hook, &m0, src, PFIL_IN) != 0) { - EH_RESTORE(m0); /* restore Ethernet header */ - return m0; - } - if (m0 == NULL) { - bdg_dropped++; + /* NB: hook should consume packet */ return NULL; } + if (m0 == NULL) /* consumed by filter */ + return m0; /* * If we get here, the firewall has passed the pkt, but the mbuf * pointer might have changed. Restore ip and the fields ntohs()'d. diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 9233aba..b625f0a 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -522,10 +522,9 @@ ip6_forward(m, srcrt) /* * Run through list of hooks for output packets. */ - if (pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT) != 0) { - error = EHOSTUNREACH; - goto freecopy; - } + error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT); + if (error != 0) + goto senderr; if (m == NULL) goto freecopy; ip6 = mtod(m, struct ip6_hdr *); @@ -545,6 +544,9 @@ ip6_forward(m, srcrt) goto freecopy; } } +#ifdef PFIL_HOOKS +senderr: +#endif if (mcopy == NULL) return; switch (error) { diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 7e81373..e03fd3b 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -926,11 +926,8 @@ skip_ipsec2:; /* * Run through list of hooks for output packets. */ - if (pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT) != 0) { - error = EHOSTUNREACH; - goto done; - } - if (m == NULL) + error = pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT); + if (error != 0 || m == NULL) goto done; ip6 = mtod(m, struct ip6_hdr *); #endif /* PFIL_HOOKS */ |
