summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
authorYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2011-03-14 06:53:34 +0000
committerYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2011-03-14 06:53:34 +0000
commit8826aefc8c459d6138506ab570c60abbfcff8aa1 (patch)
tree44872e8d216b09a48d0a17e647967c4fe26f59c5 /sys/net
parent5d14945d86d9be308963dc95bf491b142cd7f4c3 (diff)
fixed a use-after-free bug introduced at 1.7 in pipex_mppe_output().
ok dlg@ tested by jono
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/pipex.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index dd16db104a7..6ab058ebe5d 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pipex.c,v 1.15 2011/02/24 04:21:34 yasuoka Exp $ */
+/* $OpenBSD: pipex.c,v 1.16 2011/03/14 06:53:33 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -2545,13 +2545,6 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session,
mppe = &session->mppe_send;
- /* prepend mppe header */
- M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT);
- if (m0 == NULL)
- goto drop;
- hdr = mtod(m0, struct mppe_header *);
- hdr->protocol = protocol;
-
/*
* create a deep-copy if the mbuf has a shared mbuf cluster.
* this is required to handle cases of tcp retransmition.
@@ -2566,6 +2559,12 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session,
break;
}
}
+ /* prepend mppe header */
+ M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT);
+ if (m0 == NULL)
+ goto drop;
+ hdr = mtod(m0, struct mppe_header *);
+ hdr->protocol = protocol;
/* check coherency counter */
flushed = 0;