diff options
| author |   mpi <mpi@openbsd.org> | 2016-08-22 15:37:23 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2016-08-22 15:37:23 +0000 |
| commit | e39b1741365930eabb63c9eb8b563a79cfe54d31 (patch) | |
| tree | 1f3efc7b810298a45115a9bb68858aad6c51e99f /sys/netmpls | |
| parent | Enable SNI support in httpd(8). (diff) | |
| download | wireguard-openbsd-e39b1741365930eabb63c9eb8b563a79cfe54d31.tar.xz wireguard-openbsd-e39b1741365930eabb63c9eb8b563a79cfe54d31.zip | |
Do not dereference ``rt->rt_ifa'' after calling rtfree(9).
This could result in a use after free if the route entry was holding
the last reference of the address descriptor.
ok jca@, bluhm@, claudio@
Diffstat (limited to 'sys/netmpls')
| -rw-r--r-- | sys/netmpls/mpls_input.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netmpls/mpls_input.c b/sys/netmpls/mpls_input.c index 4db0bc506bd..23cb330ad0c 100644 --- a/sys/netmpls/mpls_input.c +++ b/sys/netmpls/mpls_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mpls_input.c,v 1.56 2016/07/11 09:23:06 mpi Exp $ */ +/* $OpenBSD: mpls_input.c,v 1.57 2016/08/22 15:37:23 mpi Exp $ */ /* * Copyright (c) 2008 Claudio Jeker <claudio@openbsd.org> @@ -385,8 +385,9 @@ mpls_do_error(struct mbuf *m, int type, int code, int destmtu) m_freem(m); return (NULL); } - rtfree(rt); + /* It is safe to dereference ``ia'' iff ``rt'' is valid. */ error = icmp_reflect(m, NULL, ia); + rtfree(rt); if (error) return (NULL); |