If m is not a continuous mbuf cluster, m_pullup() in pr_input may

change the pointer. Then *mp keeps the invalid pointer and it might be used. Fix the potential use after free and also reset *mp in other places to have less dangling pointers to freed mbufs. OK mpi@ mikeb@
author: bluhm <bluhm@openbsd.org> 2017-05-04 17:58:46 +0000
committer: bluhm <bluhm@openbsd.org> 2017-05-04 17:58:46 +0000
commit: eabae73b07e07afe1ac6a777c24b270d93635743 (patch)
tree: 3e2af4f44d5d4e68056f20832ae21845ce7a3ec7 /sys/netinet/tcp_input.c
parent: Implementation of the Flow Queue - Controlled Delay (FQ-CoDel) (diff)
download: wireguard-openbsd-eabae73b07e07afe1ac6a777c24b270d93635743.tar.xz
wireguard-openbsd-eabae73b07e07afe1ac6a777c24b270d93635743.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 70887a58be0..38b2f7c6748 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.342 2017/05/03 19:58:12 millert Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.343 2017/05/04 17:58:46 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -702,7 +702,7 @@ findpcb:
 					 * in use for the reply,
 					 * do not free it.
 					 */
-					m = NULL;
+					m = *mp = NULL;
 					goto drop;
 				} else {
 					/*
author	bluhm <bluhm@openbsd.org>	2017-05-04 17:58:46 +0000
committer	bluhm <bluhm@openbsd.org>	2017-05-04 17:58:46 +0000
commit	eabae73b07e07afe1ac6a777c24b270d93635743 (patch)
tree	3e2af4f44d5d4e68056f20832ae21845ce7a3ec7 /sys/netinet/tcp_input.c
parent	Implementation of the Flow Queue - Controlled Delay (FQ-CoDel) (diff)
download	wireguard-openbsd-eabae73b07e07afe1ac6a777c24b270d93635743.tar.xz wireguard-openbsd-eabae73b07e07afe1ac6a777c24b270d93635743.zip