From 78a7880f64bb55d805cc893d03f6cc42ceb0aa3e Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Wed, 12 Dec 2012 17:41:21 +0000
Subject: [PATCH]   Fix a crash in tcp_input(), that happens when mbuf has a
 fwd_tag on it, but later after processing and freeing the tag, we need to
 jump back again to the findpcb label. Since the fwd_tag pointer wasn't NULL
 we tried to process and free the tag for second time.

Reported & tested by:	Pawel Tyll <ptyll nitronet.pl>
MFC after:		3 days
---
 sys/netinet/tcp_input.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 564f792e7828..65a2ed5bc1f2 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -810,6 +810,7 @@ findpcb:
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
 		m->m_flags &= ~M_IP_NEXTHOP;
+		fwd_tag = NULL;
 	} else if (isipv6) {
 		inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
 		    th->th_sport, &ip6->ip6_dst, th->th_dport,
@@ -847,6 +848,7 @@ findpcb:
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
 		m->m_flags &= ~M_IP_NEXTHOP;
+		fwd_tag = NULL;
 	} else
 		inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
 		    th->th_sport, ip->ip_dst, th->th_dport,