Fix ipip_output() to always set *mp to NULL on failure, even if 'm'

is NULL, otherwise ipsec4_process_packet() may try to m_freem() a bad pointer. In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output() already did it. Obtained from: netbsd
2004-01-20 22:45:10 +00:00 · 2004-01-20 22:45:10 +00:00 · b5b47bc6fa
commit b5b47bc6fa
parent c58cde95d1
2 changed files with 6 additions and 3 deletions
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@ -426,8 +426,11 @@ ipsec4_process_packet(
 				error = EFAULT;
 			}
 			if (error) {
-				if (mp)
+				if (mp) {
+					/* XXX: Should never happen! */
 					m_freem(mp);
+				}
+				m = NULL; /* ipip_output() already freed it */
 				goto bad;
 			}
 			m = mp, mp = NULL;
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@ -526,7 +526,6 @@ ipip_output(
 		if (m == 0) {
 			DPRINTF(("%s: M_PREPEND failed\n", __func__));
 			ipipstat.ipips_hdrops++;
-			*mp = NULL;
 			error = ENOBUFS;
 			goto bad;
 		}
@ -610,7 +609,8 @@ ipip_output(
 	return 0;
 bad:
 	if (m)
-		m_freem(m), *mp = NULL;
+		m_freem(m);
+	*mp = NULL;
 	return (error);
 }