diff options
| author | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2011-03-14 06:53:34 +0000 |
|---|---|---|
| committer | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2011-03-14 06:53:34 +0000 |
| commit | 8826aefc8c459d6138506ab570c60abbfcff8aa1 (patch) | |
| tree | 44872e8d216b09a48d0a17e647967c4fe26f59c5 /sys/net/pipex.c | |
| parent | 5d14945d86d9be308963dc95bf491b142cd7f4c3 (diff) | |
fixed a use-after-free bug introduced at 1.7 in pipex_mppe_output().
ok dlg@
tested by jono
Diffstat (limited to 'sys/net/pipex.c')
| -rw-r--r-- | sys/net/pipex.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c index dd16db104a7..6ab058ebe5d 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.15 2011/02/24 04:21:34 yasuoka Exp $ */ +/* $OpenBSD: pipex.c,v 1.16 2011/03/14 06:53:33 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -2545,13 +2545,6 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session, mppe = &session->mppe_send; - /* prepend mppe header */ - M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT); - if (m0 == NULL) - goto drop; - hdr = mtod(m0, struct mppe_header *); - hdr->protocol = protocol; - /* * create a deep-copy if the mbuf has a shared mbuf cluster. * this is required to handle cases of tcp retransmition. @@ -2566,6 +2559,12 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session, break; } } + /* prepend mppe header */ + M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT); + if (m0 == NULL) + goto drop; + hdr = mtod(m0, struct mppe_header *); + hdr->protocol = protocol; /* check coherency counter */ flushed = 0; |