From 857c546f26a920622fb7df5a262f5b63e5033dda Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Wed, 19 Jul 2017 06:59:17 +0000 Subject: Fix double free in pppoe_dispatch_disc_pkt(). If m_pulldown() fails m is freed but another m_freem call happens later. Set m to NULL if m_pulldown() fails like in all other cases of this function. Found by Ilja Van Sprundel OK bluhm@ --- sys/net/if_pppoe.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/net/if_pppoe.c b/sys/net/if_pppoe.c index 6e4d9d91c86..04116ef1ee2 100644 --- a/sys/net/if_pppoe.c +++ b/sys/net/if_pppoe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pppoe.c,v 1.62 2017/05/27 18:36:20 mpi Exp $ */ +/* $OpenBSD: if_pppoe.c,v 1.63 2017/07/19 06:59:16 claudio Exp $ */ /* $NetBSD: if_pppoe.c,v 1.51 2003/11/28 08:56:48 keihan Exp $ */ /* @@ -519,7 +519,9 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off) if (errortag && len) { n = m_pulldown(m, off, len, &noff); - if (n) { + if (n == NULL) { + m = NULL; + } else { u_int8_t *et = mtod(n, caddr_t) + noff; while (len--) addlog("%c", *et++); -- cgit v1.2.3