Oops, I misread the purpose of the NULL check in EH_RESTORE() in

revision 1.62. It was checking for M_PREPEND() failing, not for the case of a NULL mbuf pointer being supplied to the macro. Back out that revision, and fix the NULL dereference by not calling EH_RESTORE() in the case where the mbuf pointer is NULL because the firewall rejected the packet.
2002-12-27 17:15:16 +00:00 · 2002-12-27 17:15:16 +00:00 · f6258ba488
commit f6258ba488
parent 4dcc4f2f7e
1 changed files with 3 additions and 2 deletions
--- a/sys/net/bridge.c
+++ b/sys/net/bridge.c
@ -799,11 +799,11 @@ static struct mbuf *
 bdg_forward(struct mbuf *m0, struct ifnet *dst)
 {
 #define	EH_RESTORE(_m) do {						   \
+    M_PREPEND((_m), ETHER_HDR_LEN, M_DONTWAIT);			   	   \
    if ((_m) == NULL) {							   \
 	bdg_dropped++;							   \
 	return NULL;							   \
    }									   \
-    M_PREPEND((_m), ETHER_HDR_LEN, M_DONTWAIT);			   	   \
    if (eh != mtod((_m), struct ether_header *))			   \
 	bcopy(&save_eh, mtod((_m), struct ether_header *), ETHER_HDR_LEN); \
    else								   \
@ -959,7 +959,8 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
 	i = ip_fw_chk_ptr(&args);
 	m0 = args.m;		/* in case the firewall used the mbuf	*/

-	EH_RESTORE(m0);		/* restore Ethernet header */
+	if (m0 != NULL)
+		EH_RESTORE(m0);	/* restore Ethernet header */

 	if ( (i & IP_FW_PORT_DENY_FLAG) || m0 == NULL) /* drop */
 	    return m0 ;