Get rid of a panic that occurs in ether_demux() by dereferencing a NULL mbuf

pointer, when bridging and bridge_ipfw are enabled, and when bdg_forward() happens to free the packet and make our pointer NULL. There may be more similar problems like this one with calls to bdg_forward(). PR: Related to kern/19551 Reviewed by: jlemon
2000-09-24 04:08:38 +00:00 · 2000-09-24 04:08:38 +00:00 · 0a3e6d7055
commit 0a3e6d7055
parent 3da774a231
2 changed files with 12 additions and 1 deletions
--- a/sys/net/bridge.c
+++ b/sys/net/bridge.c
@ -772,6 +772,9 @@ bdg_forward(struct mbuf **m0, struct ether_header *const eh, struct ifnet *dst)
 	m_freem(m);
 	if (canfree == 0) /* m was a copy */
 	    m_freem(*m0);
+#ifdef DIAGNOSTIC
+	printf("bdg_forward: No rules match, so dropping packet!\n");
+#endif
 	*m0 = NULL ;
 	return 0 ;
    }
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@ -446,8 +446,16 @@ ether_input(ifp, eh, m)
 			m_freem(m);
 			return;
 		}
-		if (bif != BDG_LOCAL)
+		if (bif != BDG_LOCAL) {
 			bdg_forward(&m, eh, bif);	/* needs forwarding */
+			/*
+			 * Do not continue if bdg_forward() processed our
+			 * packet (and cleared the mbuf pointer m) or if
+			 * it dropped (m_free'd) the packet itself.
+			 */
+			if (m == NULL)
+				return;
+		}
 		if (bif == BDG_LOCAL
 		    || bif == BDG_BCAST
 		    || bif == BDG_MCAST)