From owner-freebsd-hackers  Sat Aug 10 12: 8:19 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4E12337B400; Sat, 10 Aug 2002 12:08:16 -0700 (PDT)
Received: from gate.soum.co.jp (gate.soum.co.jp [202.221.40.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id EB31943E6A; Sat, 10 Aug 2002 12:08:13 -0700 (PDT)
	(envelope-from fujita@soum.co.jp)
Received: from force.soum.co.jp (force.soum.co.jp [IPv6:3ffe:501:80a:1:a00:20ff:fef0:4c9c])
	by gate.soum.co.jp (8.12.5/8.12.5) with ESMTP id g7AJ8AwP078838;
	Sun, 11 Aug 2002 04:08:10 +0900 (JST)
	(envelope-from fujita@soum.co.jp)
Received: from vanilla.soum.co.jp (vanilla.soum.co.jp [3ffe:501:80a:1:202:b3ff:fe98:8115])
	by force.soum.co.jp (8.11.6/3.7W-2001122804) with ESMTP id g7AJ88F19297;
	Sun, 11 Aug 2002 04:08:08 +0900 (JST)
Received: from localhost (localhost [::1])
	by vanilla.soum.co.jp (Postfix) with ESMTP
	id 7030C5323; Sun, 11 Aug 2002 04:08:08 +0900 (JST)
Date: Sun, 11 Aug 2002 04:08:08 +0900 (JST)
Message-Id: <20020811.040808.74720123.fujita@soum.co.jp>
To: freebsd-net@FreeBSD.ORG
Cc: freebsd-hackers@FreeBSD.ORG
Subject: m_freem() in tcp_respond()
From: FUJITA Kazutoshi <fujita@soum.co.jp>
X-PGP-PublicKey: http://www.soum.co.jp/~fujita/fujita-GnuPG-publickey.txt
X-PGP-FingerPrint: 9956 2ECE 7E7D B425 EC2D  D49E FEBB 3C5F 2C34 1ECA
Organization: SOUM Corporation, JAPAN
X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0
 =?iso-2022-jp?B?KBskQjgtTFobKEIp?=
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi, there.


In tcp_respond() from /sys/netinet/tcp_subr.c,
m_freem(m->m_next) is called without any checks.
I think it's better to check m->m_next is not NULL, at least.


--- /sys/netinet/tcp_subr.c.ORG Thu Jul 18 19:47:04 2002
+++ /sys/netinet/tcp_subr.c     Sun Aug 11 04:00:09 2002
@@ -393,7 +393,8 @@
                bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr));
                flags = TH_ACK;
        } else {
-               m_freem(m->m_next);
+               if (m->m_next)
+                       m_freem(m->m_next);
                m->m_next = 0;
                m->m_data = (caddr_t)ipgen;
                /* m_len is set later */


Regards,

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message