From 92023f4cc9e471aa4ad6bf4362c248d8f173e46a Mon Sep 17 00:00:00 2001
From: yongari <yongari@FreeBSD.org>
Date: Thu, 14 Oct 2010 18:31:40 +0000
Subject: Make sure to not use stale ip/tcp header pointers. The ip/tcp header
 parser uses m_pullup(9) to get access to mbuf chain. m_pullup(9) can allocate
 new mbuf chain and free old one if the space left in the mbuf chain is not
 enough to hold requested contiguous bytes. Previously drivers can use stale
 ip/tcp header pointer if m_pullup(9) returned new mbuf chain.

Reported by:	Andrew Boyer (aboyer <> averesystems dot com)
MFC after:	10 days
---
 sys/dev/sge/if_sge.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'sys/dev/sge/if_sge.c')

diff --git a/sys/dev/sge/if_sge.c b/sys/dev/sge/if_sge.c
index e294edd..e727d05 100644
--- a/sys/dev/sge/if_sge.c
+++ b/sys/dev/sge/if_sge.c
@@ -1457,7 +1457,9 @@ sge_encap(struct sge_softc *sc, struct mbuf **m_head)
 		 * Reset IP checksum and recompute TCP pseudo
 		 * checksum that NDIS specification requires.
 		 */
+		ip = (struct ip *)(mtod(m, char *) + ip_off);
 		ip->ip_sum = 0;
+		tcp = (struct tcphdr *)(mtod(m, char *) + poff);
 		tcp->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
 		    htons(IPPROTO_TCP));
 		*m_head = m;
-- 
cgit v1.1