From ed5c562d3632b327a47883492dcea0423217f374 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sun, 12 May 2013 17:10:58 +0000 Subject: fix use after free in case the mbuf needs defragmentation This fixes a panic found by Matthieu Herrb. OK mikeb@ --- sys/dev/pci/if_vio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/dev/pci/if_vio.c b/sys/dev/pci/if_vio.c index d6e73b022b4..02bf74c9a3a 100644 --- a/sys/dev/pci/if_vio.c +++ b/sys/dev/pci/if_vio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_vio.c,v 1.12 2013/03/16 19:08:37 sf Exp $ */ +/* $OpenBSD: if_vio.c,v 1.13 2013/05/12 17:10:57 sf Exp $ */ /* * Copyright (c) 2012 Stefan Fritsch, Alexander Fiveg. @@ -747,6 +747,10 @@ again: break; } IFQ_DEQUEUE(&ifp->if_snd, m); + if (m != sc->sc_tx_mbufs[slot]) { + m_freem(m); + m = sc->sc_tx_mbufs[slot]; + } hdr = &sc->sc_tx_hdrs[slot]; memset(hdr, 0, sc->sc_hdr_size); @@ -1143,7 +1147,6 @@ vio_encap(struct vio_softc *sc, int slot, struct mbuf *m, r); return ENOBUFS; } - m_freem(m); *mnew = m0; return 0; } -- cgit v1.2.3