diff options
| author | Philip Guenthe <guenther@cvs.openbsd.org> | 2012-07-22 18:11:55 +0000 |
|---|---|---|
| committer | Philip Guenthe <guenther@cvs.openbsd.org> | 2012-07-22 18:11:55 +0000 |
| commit | 17b8e809dab3586cf2872d51a1c1ca39ea8203fc (patch) | |
| tree | a9b6f2e4260fc1b9eefb2f9b45b56b2ad238a64c /sys/kern | |
| parent | 4635525b053ea9e1359d24504bd4a9db2d5896bb (diff) | |
unp_dispose() walks not just the mbuf chain (m_next) but also the packet
chain (m_nextpkt), so the mbuf passed to it must be disconnected completely
from the socket buffer's chains.
Problem noticed by yasuoka@; tweak from krw@, ok deraadt@
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/uipc_socket.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index c081068a59d..653de7df2e1 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.103 2012/07/10 11:42:53 guenther Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.104 2012/07/22 18:11:54 guenther Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -772,7 +772,7 @@ dontblock: } else { sbfree(&so->so_rcv, m); so->so_rcv.sb_mb = m->m_next; - m->m_next = 0; + m->m_nextpkt = m->m_next = NULL; cm = m; m = so->so_rcv.sb_mb; sbsync(&so->so_rcv, nextrecord); |