Date: Sat, 15 Dec 2012 08:29:23 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r244242 - stable/9/sys/netinet Message-ID: <201212150829.qBF8TNbs005632@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Sat Dec 15 08:29:22 2012 New Revision: 244242 URL: http://svnweb.freebsd.org/changeset/base/244242 Log: Merge from head r244157: Fix a crash in tcp_input(), that happens when mbuf has a fwd_tag on it, but later after processing and freeing the tag, we need to jump back again to the findpcb label. Since the fwd_tag pointer wasn't NULL we tried to process and free the tag for second time. Reported & tested by: Pawel Tyll <ptyll nitronet.pl> Modified: stable/9/sys/netinet/tcp_input.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/tcp_input.c ============================================================================== --- stable/9/sys/netinet/tcp_input.c Sat Dec 15 07:11:16 2012 (r244241) +++ stable/9/sys/netinet/tcp_input.c Sat Dec 15 08:29:22 2012 (r244242) @@ -822,6 +822,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, @@ -859,6 +860,7 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); m->m_flags &= ~M_IP_NEXTHOP; + fwd_tag = NULL; } else inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212150829.qBF8TNbs005632>