fix a mbuf chain corruption which happened when m_pullup was called on an

mbuf in the middle of the chain and had to MGET a new one.

2 files changed, 29 insertions, 9 deletions

diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c
index 81012c8e1e1..53c65f2d307 100644
--- a/sys/netinet/ip_esp_new.c
+++ b/sys/netinet/ip_esp_new.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp_new.c,v 1.21 1998/06/03 09:50:21 provos Exp $	*/
+/*	$OpenBSD: ip_esp_new.c,v 1.22 1998/06/11 14:17:22 provos Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -659,7 +659,7 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
 	    }
 
 	    do {
-		mi = mi->m_next;
+		mi = (mo = mi)->m_next;
 		if (mi == NULL)
 		    panic("esp_new_input(): bad chain (i)\n");
 	    } while (mi->m_len == 0);
@@ -673,6 +673,11 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
 		    espstat.esps_hdrops++;
 		    return NULL;
 		}
+		/* 
+		 * m_pullup was not called at the beginning of the chain
+		 * but might return a new mbuf, link it into the chain.
+		 */
+		mo->m_next = mi;
 	    }
 		    
 	    ilen = mi->m_len;
@@ -875,7 +880,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
     struct ip *ip, ipo;
     int i, ilen, ohlen, nh, rlen, plen, padding, rest;
     struct esp_new espo;
-    struct mbuf *mi;
+    struct mbuf *mi, *mo;
     u_char *pad, *idat, *odat, *ivp;
     u_char iv[ESP_MAX_IVS], blk[ESP_MAX_BLKS], auth[AH_ALEN_MAX], opts[40];
     union {
@@ -1014,7 +1019,7 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
 	    }
 
 	    do {
-		mi = mi->m_next;
+		mi = (mo = mi)->m_next;
 		if (mi == NULL)
 		    panic("esp_new_output(): bad chain (i)\n");
 	    } while (mi->m_len == 0);
@@ -1027,6 +1032,11 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
 			       tdb->tdb_dst, ntohl(tdb->tdb_spi)));
 		    return ENOBUFS;
 		}
+		/* 
+		 * m_pullup was not called at the beginning of the chain
+		 * but might return a new mbuf, link it into the chain.
+		 */
+		mo->m_next = mi;
 	    }
 		    
 	    ilen = mi->m_len;
diff --git a/sys/netinet/ip_esp_old.c b/sys/netinet/ip_esp_old.c
index ad9f3af08a9..f63fd9a09a6 100644
--- a/sys/netinet/ip_esp_old.c
+++ b/sys/netinet/ip_esp_old.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp_old.c,v 1.18 1998/06/03 09:50:22 provos Exp $	*/
+/*	$OpenBSD: ip_esp_old.c,v 1.19 1998/06/11 14:17:23 provos Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -296,7 +296,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
     u_char *idat, *odat, *ivp, *ivn, *lblk;
     struct esp_old *esp;
     int ohlen, plen, ilen, i, blks, rest;
-    struct mbuf *mi;
+    struct mbuf *mi, *mo;
 
     xd = (struct esp_old_xdata *) tdb->tdb_xdata;
 
@@ -402,7 +402,7 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
 	    }
 
 	    do {
-		mi = mi->m_next;
+		mi = (mo = mi)->m_next;
 		if (mi == NULL)
 		    panic("esp_old_output(): bad chain (i)\n");
 	    } while (mi->m_len == 0);
@@ -416,6 +416,11 @@ esp_old_input(struct mbuf *m, struct tdb *tdb)
 		    espstat.esps_hdrops++;
 		    return NULL;
 		}
+		/* 
+		 * m_pullup was not called at the beginning of the chain
+		 * but might return a new mbuf, link it into the chain.
+		 */
+		mo->m_next = mi;
 	    }
 		    
 	    ilen = mi->m_len;
@@ -570,7 +575,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
     struct ip *ip, ipo;
     int i, ilen, ohlen, nh, rlen, plen, padding, rest;
     u_int32_t spi;
-    struct mbuf *mi;
+    struct mbuf *mi, *mo;
     u_char *pad, *idat, *odat, *ivp;
     u_char iv[ESP_3DES_IVS], blk[ESP_3DES_IVS], opts[40];
     int iphlen, blks;
@@ -675,7 +680,7 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
 	    }
 
 	    do {
-		mi = mi->m_next;
+		mi = (mo = mi)->m_next;
 		if (mi == NULL)
 		    panic("esp_old_output(): bad chain (i)\n");
 	    } while (mi->m_len == 0);
@@ -688,6 +693,11 @@ esp_old_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
 			     tdb->tdb_dst, ntohl(tdb->tdb_spi)));
 		    return ENOBUFS;
 		}
+		/* 
+		 * m_pullup was not called at the beginning of the chain
+		 * but might return a new mbuf, link it into the chain.
+		 */
+		mo->m_next = mi;
 	    }
 		    
 	    ilen = mi->m_len;