diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-19 06:59:17 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2017-07-19 06:59:17 +0000 |
| commit | 857c546f26a920622fb7df5a262f5b63e5033dda (patch) | |
| tree | 6d21238011b7995b6bb527a4f18d13b4dfcf6c21 | |
| parent | 58251f43d6430a1e1e6d7d3eeb18f1c7aca4f4f3 (diff) | |
Fix double free in pppoe_dispatch_disc_pkt(). If m_pulldown() fails m is
freed but another m_freem call happens later. Set m to NULL if m_pulldown()
fails like in all other cases of this function.
Found by Ilja Van Sprundel
OK bluhm@
| -rw-r--r-- | sys/net/if_pppoe.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/net/if_pppoe.c b/sys/net/if_pppoe.c index 6e4d9d91c86..04116ef1ee2 100644 --- a/sys/net/if_pppoe.c +++ b/sys/net/if_pppoe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pppoe.c,v 1.62 2017/05/27 18:36:20 mpi Exp $ */ +/* $OpenBSD: if_pppoe.c,v 1.63 2017/07/19 06:59:16 claudio Exp $ */ /* $NetBSD: if_pppoe.c,v 1.51 2003/11/28 08:56:48 keihan Exp $ */ /* @@ -519,7 +519,9 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off) if (errortag && len) { n = m_pulldown(m, off, len, &noff); - if (n) { + if (n == NULL) { + m = NULL; + } else { u_int8_t *et = mtod(n, caddr_t) + noff; while (len--) addlog("%c", *et++); |