Date: Sat, 7 Jul 2001 15:01:29 -0400 From: "Alexander N. Kabaev" <ak03@gte.com> To: freebsd-current@FreeBSD.org Cc: freebsd-net@FreeBSD.org Subject: This can't be right (bug in ip6_output.c) Message-ID: <20010707150129.A910@kanpc.gte.com>
next in thread | raw e-mail | index | archive | help
The following code in netinet6/ip6_output.c:1673 just cannot be right:
case IPV6_FW_GET:
{
struct mbuf *m;
struct mbuf **mp = &m;
if (ip6_fw_ctl_ptr == NULL)
{
if (m)
(void)m_free(m);
return EINVAL;
}
error = (*ip6_fw_ctl_ptr)(optname, mp);
if (error == 0)
error = soopt_mcopyout(sopt, m); /* XXX */
if (error == 0 && m)
m_freem(m);
}
break;
The m_free call in the ip6_fw_ctl_ptr == NULL case apparently tries to free
uninitialized mbuf.
--
Alexander Kabaev
P.S. Below is the patch to remove bogus m_free call:
Index: ip6_output.c
===================================================================
RCS file: /usr/ncvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.28
diff -u -r1.28 ip6_output.c
--- ip6_output.c 2001/06/24 20:25:38 1.28
+++ ip6_output.c 2001/07/07 18:57:51
@@ -1668,11 +1668,7 @@
struct mbuf **mp = &m;
if (ip6_fw_ctl_ptr == NULL)
- {
- if (m)
- (void)m_free(m);
return EINVAL;
- }
error = (*ip6_fw_ctl_ptr)(optname, mp);
if (error == 0)
error = soopt_mcopyout(sopt, m); /* XXX */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010707150129.A910>