Fix a use-after-free bug that could cause multi-link fragment reassembly to
fail for a long time (until the incoming sequence numbers wrapped around). Reported by: Matthew Impett <mimpett@Glue.umd.edu> MFC after: 3 days
This commit is contained in:
parent
7fd03de4a0
commit
cd00a5e471
@ -1418,6 +1418,7 @@ ng_ppp_frag_checkstale(node_p node)
|
||||
meta_p meta;
|
||||
int i, seq;
|
||||
item_p item;
|
||||
int endseq;
|
||||
|
||||
now.tv_sec = 0; /* uninitialized state */
|
||||
while (1) {
|
||||
@ -1468,11 +1469,12 @@ ng_ppp_frag_checkstale(node_p node)
|
||||
}
|
||||
|
||||
/* Extract completed packet */
|
||||
endseq = end->seq;
|
||||
ng_ppp_get_packet(node, &m, &meta);
|
||||
|
||||
/* Bump MSEQ if necessary */
|
||||
if (MP_RECV_SEQ_DIFF(priv, priv->mseq, end->seq) < 0) {
|
||||
priv->mseq = end->seq;
|
||||
if (MP_RECV_SEQ_DIFF(priv, priv->mseq, endseq) < 0) {
|
||||
priv->mseq = endseq;
|
||||
for (i = 0; i < priv->numActiveLinks; i++) {
|
||||
struct ng_ppp_link *const alink =
|
||||
&priv->links[priv->activeLinks[i]];
|
||||
|
Loading…
Reference in New Issue
Block a user