loopback: fix use-after-free
Once we hand an mbuf over to netisr_queue() we may no longer access it.
Save the length before the call so we can use it to increment counters
afterwards.
Fixes: 956acdce05 ("loopback: Account for packet drops")
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
+3
-1
@@ -276,6 +276,7 @@ int
|
||||
if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
|
||||
{
|
||||
int isr;
|
||||
int32_t len;
|
||||
|
||||
M_ASSERTPKTHDR(m);
|
||||
m_tag_delete_nonpersistent(m);
|
||||
@@ -350,9 +351,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
|
||||
m_freem(m);
|
||||
return (EAFNOSUPPORT);
|
||||
}
|
||||
len = m->m_pkthdr.len;
|
||||
if (netisr_queue(isr, m) == 0) {
|
||||
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
|
||||
if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
|
||||
if_inc_counter(ifp, IFCOUNTER_IBYTES, len);
|
||||
} else {
|
||||
/* mbuf is free'd on failure. */
|
||||
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
||||
|
||||
Reference in New Issue
Block a user