loopback: fix use-after-free
Once we hand an mbuf over to netisr_queue() we may no longer access it.
Save the length before the call so we can use it to increment counters
afterwards.
Fixes: 956acdce05 ("loopback: Account for packet drops")
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
+3
-1
@@ -276,6 +276,7 @@ int
|
|||||||
if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
|
if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
|
||||||
{
|
{
|
||||||
int isr;
|
int isr;
|
||||||
|
int32_t len;
|
||||||
|
|
||||||
M_ASSERTPKTHDR(m);
|
M_ASSERTPKTHDR(m);
|
||||||
m_tag_delete_nonpersistent(m);
|
m_tag_delete_nonpersistent(m);
|
||||||
@@ -350,9 +351,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
return (EAFNOSUPPORT);
|
return (EAFNOSUPPORT);
|
||||||
}
|
}
|
||||||
|
len = m->m_pkthdr.len;
|
||||||
if (netisr_queue(isr, m) == 0) {
|
if (netisr_queue(isr, m) == 0) {
|
||||||
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
|
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
|
||||||
if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
|
if_inc_counter(ifp, IFCOUNTER_IBYTES, len);
|
||||||
} else {
|
} else {
|
||||||
/* mbuf is free'd on failure. */
|
/* mbuf is free'd on failure. */
|
||||||
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user