diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2024-03-07 14:49:48 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2024-03-07 14:49:48 +0000 |
| commit | d33162c4274c1bb0af28955d90acb761a4a3c5da (patch) | |
| tree | 2f7449d0bfbddae94ad7abe43f446326b216b696 /sys | |
| parent | 878f142e7f0e576b41dedc9497ca366fb0d3af5a (diff) | |
Fix possible double free in error path of ixgbe_rxeof.
If fmp is not-NULL then the buf is part of the mbuf chain of fmp. So
only m_freem either fmp or buf but clear both values.
Also clear the M_PKTHDR flag if buf aka mp is not the first buffer in the
chain.
Double free found by bluhm@
OK bluhm@ jan@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/dev/pci/if_ix.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/sys/dev/pci/if_ix.c b/sys/dev/pci/if_ix.c index c623bb50938..fa1c5681949 100644 --- a/sys/dev/pci/if_ix.c +++ b/sys/dev/pci/if_ix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_ix.c,v 1.209 2024/02/15 10:56:53 mglocker Exp $ */ +/* $OpenBSD: if_ix.c,v 1.210 2024/03/07 14:49:47 claudio Exp $ */ /****************************************************************************** @@ -3174,10 +3174,10 @@ ixgbe_rxeof(struct rx_ring *rxr) if (staterr & IXGBE_RXDADV_ERR_FRAME_ERR_MASK) { if (rxbuf->fmp) { m_freem(rxbuf->fmp); - rxbuf->fmp = NULL; + } else { + m_freem(mp); } - - m_freem(mp); + rxbuf->fmp = NULL; rxbuf->buf = NULL; goto next_desc; } @@ -3224,6 +3224,8 @@ ixgbe_rxeof(struct rx_ring *rxr) sendmp = mp; sendmp->m_pkthdr.len = 0; sendmp->m_pkthdr.ph_mss = 0; + } else { + mp->m_flags &= ~M_PKTHDR; } sendmp->m_pkthdr.len += mp->m_len; /* |