diff options
| author |   claudio <claudio@openbsd.org> | 2017-07-19 06:59:16 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2017-07-19 06:59:16 +0000 |
| commit | b3af46a9e4cf83654aab54397c511bc7d6451145 (patch) | |
| tree | 75da6b38a7d9843529688b9f3a201da8185a7e88 | |
| parent | Move KTRPOINT call up. The lenght variable i is getting aligned and so (diff) | |
| download | wireguard-openbsd-b3af46a9e4cf83654aab54397c511bc7d6451145.tar.xz wireguard-openbsd-b3af46a9e4cf83654aab54397c511bc7d6451145.zip | |
Fix double free in pppoe_dispatch_disc_pkt(). If m_pulldown() fails m is
freed but another m_freem call happens later. Set m to NULL if m_pulldown()
fails like in all other cases of this function.
Found by Ilja Van Sprundel
OK bluhm@
| -rw-r--r-- | sys/net/if_pppoe.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/net/if_pppoe.c b/sys/net/if_pppoe.c index 6e4d9d91c86..04116ef1ee2 100644 --- a/sys/net/if_pppoe.c +++ b/sys/net/if_pppoe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pppoe.c,v 1.62 2017/05/27 18:36:20 mpi Exp $ */ +/* $OpenBSD: if_pppoe.c,v 1.63 2017/07/19 06:59:16 claudio Exp $ */ /* $NetBSD: if_pppoe.c,v 1.51 2003/11/28 08:56:48 keihan Exp $ */ /* @@ -519,7 +519,9 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off) if (errortag && len) { n = m_pulldown(m, off, len, &noff); - if (n) { + if (n == NULL) { + m = NULL; + } else { u_int8_t *et = mtod(n, caddr_t) + noff; while (len--) addlog("%c", *et++); |