diff options
| author | David Gwynne <dlg@cvs.openbsd.org> | 2016-08-18 06:01:11 +0000 |
|---|---|---|
| committer | David Gwynne <dlg@cvs.openbsd.org> | 2016-08-18 06:01:11 +0000 |
| commit | d78867a63cbf3494c2e1ef4b92c2823f41da3129 (patch) | |
| tree | 3a725ceddd758957674455a48d28a14b68beffc4 /sys/netinet/ip_ipcomp.c | |
| parent | d3ae3ce9cbd2ecbada8b1187de340c869534a873 (diff) | |
fix panics caused by replacing m_copym2 with m_dup_pkt.
m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.
m_dup_pkt panics cos of that.
this makes ipsec duplicate the whole packet if any of the chain is
readonly.
found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@
Diffstat (limited to 'sys/netinet/ip_ipcomp.c')
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index 27bc2f381cc..120511bf37e 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.45 2016/08/15 11:35:25 dlg Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.46 2016/08/18 06:01:10 dlg Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -373,7 +373,7 @@ ipcomp_output(m, tdb, mp, skip, protoff) struct cryptodesc *crdc = NULL; struct cryptop *crp; struct tdb_crypto *tc; - struct mbuf *mi, *mo; + struct mbuf *mi; #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; #endif @@ -462,18 +462,14 @@ ipcomp_output(m, tdb, mp, skip, protoff) } /* * Loop through mbuf chain; if we find a readonly mbuf, - * replace the rest of the chain. + * copy the packet. */ - mo = NULL; mi = m; - while (mi != NULL && !M_READONLY(mi)) { - mo = mi; + while (mi != NULL && !M_READONLY(mi)) mi = mi->m_next; - } if (mi != NULL) { - /* Replace the rest of the mbuf chain. */ - struct mbuf *n = m_dup_pkt(mi, 0, M_DONTWAIT); + struct mbuf *n = m_dup_pkt(m, 0, M_DONTWAIT); if (n == NULL) { DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA %s/%08x\n", @@ -483,12 +479,9 @@ ipcomp_output(m, tdb, mp, skip, protoff) m_freem(m); return ENOBUFS; } - if (mo != NULL) - mo->m_next = n; - else - m = n; - m_freem(mi); + m_freem(m); + m = n; } /* Ok now, we can pass to the crypto processing */ |