Fix a crash in tcp_input(), that happens when mbuf has a fwd_tag on it,
but later after processing and freeing the tag, we need to jump back again to the findpcb label. Since the fwd_tag pointer wasn't NULL we tried to process and free the tag for second time. Reported & tested by: Pawel Tyll <ptyll nitronet.pl> MFC after: 3 days
This commit is contained in:
parent
83da9362b7
commit
78a7880f64
@ -810,6 +810,7 @@ findpcb:
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
fwd_tag = NULL;
|
||||
} else if (isipv6) {
|
||||
inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
|
||||
th->th_sport, &ip6->ip6_dst, th->th_dport,
|
||||
@ -847,6 +848,7 @@ findpcb:
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
fwd_tag = NULL;
|
||||
} else
|
||||
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
|
||||
th->th_sport, ip->ip_dst, th->th_dport,
|
||||
|
Loading…
x
Reference in New Issue
Block a user