diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-06-19 17:58:50 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-06-19 17:58:50 +0000 |
| commit | a0d4cb32dbf3ce6e2df43a7af22e64c7658d824f (patch) | |
| tree | db224d830e58d5c7024be3637ffc1772b8f69185 /sys/net | |
| parent | 43476ea34bfa2f2287acc0bb5bf4aa9d305ecc03 (diff) | |
When dealing with mbuf pointers passed down as function parameters,
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/bsd-comp.c | 5 | ||||
| -rw-r--r-- | sys/net/if_gif.c | 4 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 5 | ||||
| -rw-r--r-- | sys/net/ppp-deflate.c | 5 |
4 files changed, 8 insertions, 11 deletions
diff --git a/sys/net/bsd-comp.c b/sys/net/bsd-comp.c index 3816a4faf88..d087a63417d 100644 --- a/sys/net/bsd-comp.c +++ b/sys/net/bsd-comp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bsd-comp.c,v 1.13 2015/11/24 13:37:16 mpi Exp $ */ +/* $OpenBSD: bsd-comp.c,v 1.14 2017/06/19 17:58:49 bluhm Exp $ */ /* $NetBSD: bsd-comp.c,v 1.6 1996/10/13 02:10:58 christos Exp $ */ /* Because this code is derived from the 4.3BSD compress source: @@ -661,8 +661,7 @@ bsd_compress(state, mret, mp, slen, maxolen) ++db->uncomp_count; if (olen + PPP_HDRLEN + BSD_OVHD > maxolen) { /* throw away the compressed stuff if it is longer than uncompressed */ - m_freem(*mret); - *mret = NULL; + m_freemp(mret); ++db->incomp_count; db->incomp_bytes += ilen; diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index 446ccc9ccac..051cbcf3309 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_gif.c,v 1.96 2017/05/18 10:56:45 bluhm Exp $ */ +/* $OpenBSD: if_gif.c,v 1.97 2017/06/19 17:58:49 bluhm Exp $ */ /* $KAME: if_gif.c,v 1.43 2001/02/20 08:51:07 itojun Exp $ */ /* @@ -277,7 +277,7 @@ gif_encap(struct ifnet *ifp, struct mbuf **mp, sa_family_t af) break; #endif default: - m_freem(*mp); + m_freemp(mp); error = EAFNOSUPPORT; break; } diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index e694b55f9b4..c1f8d5e3e1d 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.205 2017/06/05 22:18:28 sashan Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.206 2017/06/19 17:58:49 bluhm Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -773,8 +773,7 @@ pf_refragment6(struct mbuf **m0, struct m_tag *mtag, struct sockaddr_in6 *dst, (*m0)->m_nextpkt = NULL; if (error == 0) { /* The first mbuf contains the unfragmented packet */ - m_freem(*m0); - *m0 = NULL; + m_freemp(m0); action = PF_PASS; } else { /* Drop expects an mbuf to free */ diff --git a/sys/net/ppp-deflate.c b/sys/net/ppp-deflate.c index 98fe3110f36..cd75e9c8b26 100644 --- a/sys/net/ppp-deflate.c +++ b/sys/net/ppp-deflate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ppp-deflate.c,v 1.12 2015/07/15 22:16:42 deraadt Exp $ */ +/* $OpenBSD: ppp-deflate.c,v 1.13 2017/06/19 17:58:49 bluhm Exp $ */ /* $NetBSD: ppp-deflate.c,v 1.1 1996/03/15 02:28:09 paulus Exp $ */ /* @@ -342,8 +342,7 @@ z_compress(arg, mret, mp, orig_len, maxolen) state->stats.comp_bytes += olen; state->stats.comp_packets++; } else { - m_freem(*mret); - *mret = NULL; + m_freemp(mret); state->stats.inc_bytes += orig_len; state->stats.inc_packets++; |