From e5bafa39b1505c9befb314a78ed39f17b98d1698 Mon Sep 17 00:00:00 2001 From: fjoe Date: Sun, 6 Nov 2011 05:23:42 +0000 Subject: [PATCH] Fix potential double mbuf free: M_PREPEND may free mbuf chain and return NULL but item will still have the reference ot the mbuf chain and will free it upon destruction. --- sys/netgraph/ng_cisco.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/netgraph/ng_cisco.c b/sys/netgraph/ng_cisco.c index 76dc1eca7ac2..aa12b757bcaf 100644 --- a/sys/netgraph/ng_cisco.c +++ b/sys/netgraph/ng_cisco.c @@ -359,12 +359,13 @@ cisco_rcvdata(hook_p hook, item_p item) /* OK so it came from a protocol, heading out. Prepend general data packet header. For now, IP,IPX only */ - m = NGI_M(item); /* still associated with item */ + NGI_GET_M(item, m); M_PREPEND(m, CISCO_HEADER_LEN, M_DONTWAIT); if (!m) { error = ENOBUFS; goto out; } + NGI_M(item) = m; h = mtod(m, struct cisco_header *); h->address = CISCO_UNICAST; h->control = 0;