diff options
| author |   rzalamena <rzalamena@openbsd.org> | 2016-11-18 16:23:13 +0000 |
|---|---|---|
| committer | rzalamena <rzalamena@openbsd.org> | 2016-11-18 16:23:13 +0000 |
| commit | 78b3a538eff5a1cf7ea6474dd1b25b8143d5354e (patch) | |
| tree | 170b86671267c1ae9aa7b8c42a5abc2514bb9757 | |
| parent | Add support for multiple listening sockets (diff) | |
| download | wireguard-openbsd-78b3a538eff5a1cf7ea6474dd1b25b8143d5354e.tar.xz wireguard-openbsd-78b3a538eff5a1cf7ea6474dd1b25b8143d5354e.zip | |
Fix a panic introduced with the memory leak correction. Use the saved
length instead of the packet instruction length to free the old
instruction.
ok reyk@
| -rw-r--r-- | sys/net/switchofp.c | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/sys/net/switchofp.c b/sys/net/switchofp.c index acb185c3432..d8760c63c78 100644 --- a/sys/net/switchofp.c +++ b/sys/net/switchofp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: switchofp.c,v 1.31 2016/11/16 13:47:27 reyk Exp $ */ +/* $OpenBSD: switchofp.c,v 1.32 2016/11/18 16:23:13 rzalamena Exp $ */ /* * Copyright (c) 2016 Kazuya GODA <goda@openbsd.org> @@ -4796,49 +4796,56 @@ swofp_flow_entry_put_instructions(struct mbuf *m, switch (ntohs(oi->i_type)) { case OFP_INSTRUCTION_T_GOTO_TABLE: - free(swfe->swfe_goto_table, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_goto_table) + free(swfe->swfe_goto_table, M_DEVBUF, + ntohs(swfe->swfe_goto_table->igt_len)); swfe->swfe_goto_table = (struct ofp_instruction_goto_table *)inst; break; case OFP_INSTRUCTION_T_WRITE_META: - free(swfe->swfe_write_metadata, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_write_metadata) + free(swfe->swfe_write_metadata, M_DEVBUF, + ntohs(swfe->swfe_write_metadata->iwm_len)); swfe->swfe_write_metadata = (struct ofp_instruction_write_metadata *)inst; break; case OFP_INSTRUCTION_T_WRITE_ACTIONS: - free(swfe->swfe_write_actions, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_write_actions) + free(swfe->swfe_write_actions, M_DEVBUF, + ntohs(swfe->swfe_write_actions->ia_len)); swfe->swfe_write_actions = (struct ofp_instruction_actions *)inst; break; case OFP_INSTRUCTION_T_APPLY_ACTIONS: - free(swfe->swfe_apply_actions, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_apply_actions) + free(swfe->swfe_apply_actions, M_DEVBUF, + ntohs(swfe->swfe_apply_actions->ia_len)); swfe->swfe_apply_actions = (struct ofp_instruction_actions *)inst; break; case OFP_INSTRUCTION_T_CLEAR_ACTIONS: - free(swfe->swfe_clear_actions, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_clear_actions) + free(swfe->swfe_clear_actions, M_DEVBUF, + ntohs(swfe->swfe_clear_actions->ia_len)); swfe->swfe_clear_actions = (struct ofp_instruction_actions *)inst; break; case OFP_INSTRUCTION_T_METER: - free(swfe->swfe_meter, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_meter) + free(swfe->swfe_meter, M_DEVBUF, + ntohs(swfe->swfe_meter->im_len)); swfe->swfe_meter = (struct ofp_instruction_meter *)inst; break; case OFP_INSTRUCTION_T_EXPERIMENTER: - free(swfe->swfe_experimenter, M_DEVBUF, - ntohs(oi->i_len)); + if (swfe->swfe_experimenter) + free(swfe->swfe_experimenter, M_DEVBUF, + ntohs(swfe->swfe_experimenter->ie_len)); swfe->swfe_experimenter = (struct ofp_instruction_experimenter *)inst; |