loopback: fix use-after-free

Once we hand an mbuf over to netisr_queue() we may no longer access it.
Save the length before the call so we can use it to increment counters
afterwards.

Fixes:		956acdce05 ("loopback: Account for packet drops")
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-04-21 11:19:26 +02:00
parent 9933bdcb12
commit 07a3501e6c
+3 -1
View File
@@ -276,6 +276,7 @@ int
if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen) if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
{ {
int isr; int isr;
int32_t len;
M_ASSERTPKTHDR(m); M_ASSERTPKTHDR(m);
m_tag_delete_nonpersistent(m); m_tag_delete_nonpersistent(m);
@@ -350,9 +351,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
m_freem(m); m_freem(m);
return (EAFNOSUPPORT); return (EAFNOSUPPORT);
} }
len = m->m_pkthdr.len;
if (netisr_queue(isr, m) == 0) { if (netisr_queue(isr, m) == 0) {
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); if_inc_counter(ifp, IFCOUNTER_IBYTES, len);
} else { } else {
/* mbuf is free'd on failure. */ /* mbuf is free'd on failure. */
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1); if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);