summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorStefan Fritsch <sf@cvs.openbsd.org>2013-05-12 17:10:58 +0000
committerStefan Fritsch <sf@cvs.openbsd.org>2013-05-12 17:10:58 +0000
commited5c562d3632b327a47883492dcea0423217f374 (patch)
treea7cddaf73bbc6a89d0632dd5fcdbf173a0899438 /sys
parent138c1e3d20b3cb194ac4b2084e169a352f435cf4 (diff)
fix use after free in case the mbuf needs defragmentation
This fixes a panic found by Matthieu Herrb. OK mikeb@
Diffstat (limited to 'sys')
-rw-r--r--sys/dev/pci/if_vio.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/dev/pci/if_vio.c b/sys/dev/pci/if_vio.c
index d6e73b022b4..02bf74c9a3a 100644
--- a/sys/dev/pci/if_vio.c
+++ b/sys/dev/pci/if_vio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_vio.c,v 1.12 2013/03/16 19:08:37 sf Exp $ */
+/* $OpenBSD: if_vio.c,v 1.13 2013/05/12 17:10:57 sf Exp $ */
/*
* Copyright (c) 2012 Stefan Fritsch, Alexander Fiveg.
@@ -747,6 +747,10 @@ again:
break;
}
IFQ_DEQUEUE(&ifp->if_snd, m);
+ if (m != sc->sc_tx_mbufs[slot]) {
+ m_freem(m);
+ m = sc->sc_tx_mbufs[slot];
+ }
hdr = &sc->sc_tx_hdrs[slot];
memset(hdr, 0, sc->sc_hdr_size);
@@ -1143,7 +1147,6 @@ vio_encap(struct vio_softc *sc, int slot, struct mbuf *m,
r);
return ENOBUFS;
}
- m_freem(m);
*mnew = m0;
return 0;
}