From d8016119426fcf1460cf025b746ce5151f9e0037 Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Wed, 18 Apr 2007 08:18:23 +0000 Subject: Break out of the mtag check loop when a hit was found else we end up in a double free. Found and tested by Stefan Schmieta. OK markus@ mbalmer@ --- sys/net/if_gif.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index 36512c6b400..483ec2f95d2 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_gif.c,v 1.41 2007/02/22 15:31:44 claudio Exp $ */ +/* $OpenBSD: if_gif.c,v 1.42 2007/04/18 08:18:22 claudio Exp $ */ /* $KAME: if_gif.c,v 1.43 2001/02/20 08:51:07 itojun Exp $ */ /* @@ -196,9 +196,11 @@ gif_start(ifp) log(LOG_NOTICE, "gif_output: " "recursively called too many times\n"); m_freem(m); - continue; + break; } } + if (mtag) + continue; mtag = m_tag_get(PACKET_TAG_GIF, sizeof(caddr_t), M_NOWAIT); if (mtag == NULL) { -- cgit v1.2.3