fixed a use-after-free bug introduced at 1.7 in pipex_mppe_output().

ok dlg@
tested by jono

1 files changed, 7 insertions, 8 deletions

diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index dd16db104a7..6ab058ebe5d 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.15 2011/02/24 04:21:34 yasuoka Exp $	*/
+/*	$OpenBSD: pipex.c,v 1.16 2011/03/14 06:53:33 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -2545,13 +2545,6 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session,
 
 	mppe = &session->mppe_send;
 
-	/* prepend mppe header */
-	M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT);
-	if (m0 == NULL)
-		goto drop;
-	hdr = mtod(m0, struct mppe_header *);
-	hdr->protocol = protocol;
-
 	/*
 	 * create a deep-copy if the mbuf has a shared mbuf cluster.
 	 * this is required to handle cases of tcp retransmition.
@@ -2566,6 +2559,12 @@ pipex_mppe_output(struct mbuf *m0, struct pipex_session *session,
 			break;
 		}
 	}
+	/* prepend mppe header */
+	M_PREPEND(m0, sizeof(struct mppe_header), M_NOWAIT);
+	if (m0 == NULL)
+		goto drop;
+	hdr = mtod(m0, struct mppe_header *);
+	hdr->protocol = protocol;
 
 	/* check coherency counter */
 	flushed = 0;