summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Bergamini <damien@cvs.openbsd.org>2009-09-24 16:03:11 +0000
committerDamien Bergamini <damien@cvs.openbsd.org>2009-09-24 16:03:11 +0000
commit7947606c66b938ef80f3fa9d94f1f4ec62a7781a (patch)
tree06e58f15b6668cea07bd182caa6a76304030df95
parent42045432f0b34aeb1b9a32011cd6f98f018f9256 (diff)
do not call m_free(n0) followed by m_freem(n0) when m_dup_pkthdr()
call fails. this double-free was introduced with the M_DUP_PKTHRD to m_dup_pkthdr change that got committed before I had a chance to review it.
-rw-r--r--sys/net80211/ieee80211_crypto_ccmp.c10
-rw-r--r--sys/net80211/ieee80211_crypto_tkip.c10
-rw-r--r--sys/net80211/ieee80211_crypto_wep.c10
3 files changed, 9 insertions, 21 deletions
diff --git a/sys/net80211/ieee80211_crypto_ccmp.c b/sys/net80211/ieee80211_crypto_ccmp.c
index 728a363c25b..d491c20168f 100644
--- a/sys/net80211/ieee80211_crypto_ccmp.c
+++ b/sys/net80211/ieee80211_crypto_ccmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_crypto_ccmp.c,v 1.9 2009/09/13 14:42:52 krw Exp $ */
+/* $OpenBSD: ieee80211_crypto_ccmp.c,v 1.10 2009/09/24 16:03:10 damien Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -176,10 +176,8 @@ ieee80211_ccmp_encrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len += IEEE80211_CCMP_HDRLEN;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_CCMP_MICLEN) {
@@ -357,10 +355,8 @@ ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len -= IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE) {
diff --git a/sys/net80211/ieee80211_crypto_tkip.c b/sys/net80211/ieee80211_crypto_tkip.c
index 38574e00abb..dc359713f40 100644
--- a/sys/net80211/ieee80211_crypto_tkip.c
+++ b/sys/net80211/ieee80211_crypto_tkip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_crypto_tkip.c,v 1.15 2009/09/13 14:42:52 krw Exp $ */
+/* $OpenBSD: ieee80211_crypto_tkip.c,v 1.16 2009/09/24 16:03:10 damien Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -198,10 +198,8 @@ ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
@@ -370,10 +368,8 @@ ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE) {
diff --git a/sys/net80211/ieee80211_crypto_wep.c b/sys/net80211/ieee80211_crypto_wep.c
index 6ca41735647..178c10c2890 100644
--- a/sys/net80211/ieee80211_crypto_wep.c
+++ b/sys/net80211/ieee80211_crypto_wep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ieee80211_crypto_wep.c,v 1.6 2009/09/13 14:42:52 krw Exp $ */
+/* $OpenBSD: ieee80211_crypto_wep.c,v 1.7 2009/09/24 16:03:10 damien Exp $ */
/*-
* Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -95,10 +95,8 @@ ieee80211_wep_encrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len += IEEE80211_WEP_HDRLEN;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_WEP_CRCLEN) {
@@ -230,10 +228,8 @@ ieee80211_wep_decrypt(struct ieee80211com *ic, struct mbuf *m0,
MGET(n0, M_DONTWAIT, m0->m_type);
if (n0 == NULL)
goto nospace;
- if (m_dup_pkthdr(n0, m0)) {
- m_free(n0);
+ if (m_dup_pkthdr(n0, m0))
goto nospace;
- }
n0->m_pkthdr.len -= IEEE80211_WEP_TOTLEN;
n0->m_len = MHLEN;
if (n0->m_pkthdr.len >= MINCLSIZE) {