diff options
| author | Martin Pieuchot <mpi@cvs.openbsd.org> | 2016-08-22 15:37:24 +0000 |
|---|---|---|
| committer | Martin Pieuchot <mpi@cvs.openbsd.org> | 2016-08-22 15:37:24 +0000 |
| commit | a07e28aafa5d40017ff294c88ff72166d862e568 (patch) | |
| tree | 1bb814578b7181b795788e0c01beea9f95ffe1b4 /sys/netmpls | |
| parent | faf19423497c900c6e59987f980e8410943542a1 (diff) | |
Do not dereference ``rt->rt_ifa'' after calling rtfree(9).
This could result in a use after free if the route entry was holding
the last reference of the address descriptor.
ok jca@, bluhm@, claudio@
Diffstat (limited to 'sys/netmpls')
| -rw-r--r-- | sys/netmpls/mpls_input.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netmpls/mpls_input.c b/sys/netmpls/mpls_input.c index 4db0bc506bd..23cb330ad0c 100644 --- a/sys/netmpls/mpls_input.c +++ b/sys/netmpls/mpls_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mpls_input.c,v 1.56 2016/07/11 09:23:06 mpi Exp $ */ +/* $OpenBSD: mpls_input.c,v 1.57 2016/08/22 15:37:23 mpi Exp $ */ /* * Copyright (c) 2008 Claudio Jeker <claudio@openbsd.org> @@ -385,8 +385,9 @@ mpls_do_error(struct mbuf *m, int type, int code, int destmtu) m_freem(m); return (NULL); } - rtfree(rt); + /* It is safe to dereference ``ia'' iff ``rt'' is valid. */ error = icmp_reflect(m, NULL, ia); + rtfree(rt); if (error) return (NULL); |