do not call m_free(n0) followed by m_freem(n0) when m_dup_pkthdr()

call fails.  this double-free was introduced with the M_DUP_PKTHRD
to m_dup_pkthdr change that got committed before I had a chance to
review it.

3 files changed, 9 insertions, 21 deletions

diff --git a/sys/net80211/ieee80211_crypto_ccmp.c b/sys/net80211/ieee80211_crypto_ccmp.c
index 728a363c25b..d491c20168f 100644
--- a/sys/net80211/ieee80211_crypto_ccmp.c
+++ b/sys/net80211/ieee80211_crypto_ccmp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_crypto_ccmp.c,v 1.9 2009/09/13 14:42:52 krw Exp $	*/
+/*	$OpenBSD: ieee80211_crypto_ccmp.c,v 1.10 2009/09/24 16:03:10 damien Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -176,10 +176,8 @@ ieee80211_ccmp_encrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len += IEEE80211_CCMP_HDRLEN;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_CCMP_MICLEN) {
@@ -357,10 +355,8 @@ ieee80211_ccmp_decrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len -= IEEE80211_CCMP_HDRLEN + IEEE80211_CCMP_MICLEN;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE) {
diff --git a/sys/net80211/ieee80211_crypto_tkip.c b/sys/net80211/ieee80211_crypto_tkip.c
index 38574e00abb..dc359713f40 100644
--- a/sys/net80211/ieee80211_crypto_tkip.c
+++ b/sys/net80211/ieee80211_crypto_tkip.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_crypto_tkip.c,v 1.15 2009/09/13 14:42:52 krw Exp $	*/
+/*	$OpenBSD: ieee80211_crypto_tkip.c,v 1.16 2009/09/24 16:03:10 damien Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -198,10 +198,8 @@ ieee80211_tkip_encrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len += IEEE80211_TKIP_HDRLEN;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_TKIP_TAILLEN) {
@@ -370,10 +368,8 @@ ieee80211_tkip_decrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len -= IEEE80211_TKIP_OVHD;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE) {
diff --git a/sys/net80211/ieee80211_crypto_wep.c b/sys/net80211/ieee80211_crypto_wep.c
index 6ca41735647..178c10c2890 100644
--- a/sys/net80211/ieee80211_crypto_wep.c
+++ b/sys/net80211/ieee80211_crypto_wep.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_crypto_wep.c,v 1.6 2009/09/13 14:42:52 krw Exp $	*/
+/*	$OpenBSD: ieee80211_crypto_wep.c,v 1.7 2009/09/24 16:03:10 damien Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -95,10 +95,8 @@ ieee80211_wep_encrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len += IEEE80211_WEP_HDRLEN;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE - IEEE80211_WEP_CRCLEN) {
@@ -230,10 +228,8 @@ ieee80211_wep_decrypt(struct ieee80211com *ic, struct mbuf *m0,
 	MGET(n0, M_DONTWAIT, m0->m_type);
 	if (n0 == NULL)
 		goto nospace;
-	if (m_dup_pkthdr(n0, m0)) {
-		m_free(n0);
+	if (m_dup_pkthdr(n0, m0))
 		goto nospace;
-	}
 	n0->m_pkthdr.len -= IEEE80211_WEP_TOTLEN;
 	n0->m_len = MHLEN;
 	if (n0->m_pkthdr.len >= MINCLSIZE) {