From b5b47bc6fa9ba9794afd130c91a556a3569166c7 Mon Sep 17 00:00:00 2001
From: Sam Leffler <sam@FreeBSD.org>
Date: Tue, 20 Jan 2004 22:45:10 +0000
Subject: [PATCH] Fix ipip_output() to always set *mp to NULL on failure, even
 if 'm' is NULL, otherwise ipsec4_process_packet() may try to m_freem() a bad
 pointer.

In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.

Obtained from:	netbsd
---
 sys/netipsec/ipsec_output.c | 5 ++++-
 sys/netipsec/xform_ipip.c   | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 8f8c70545404..c90524b5c2cc 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -426,8 +426,11 @@ ipsec4_process_packet(
 				error = EFAULT;
 			}
 			if (error) {
-				if (mp)
+				if (mp) {
+					/* XXX: Should never happen! */
 					m_freem(mp);
+				}
+				m = NULL; /* ipip_output() already freed it */
 				goto bad;
 			}
 			m = mp, mp = NULL;
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index a8453227b67b..0f881a1e337c 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -526,7 +526,6 @@ ipip_output(
 		if (m == 0) {
 			DPRINTF(("%s: M_PREPEND failed\n", __func__));
 			ipipstat.ipips_hdrops++;
-			*mp = NULL;
 			error = ENOBUFS;
 			goto bad;
 		}
@@ -610,7 +609,8 @@ ipip_output(
 	return 0;
 bad:
 	if (m)
-		m_freem(m), *mp = NULL;
+		m_freem(m);
+	*mp = NULL;
 	return (error);
 }