if_vxlan: Update *m0 after a pullup

vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after
the function returns.  vxlan_input() failed to update *m0 after the
pullup however, so if it hits an error case after the pullup, we'll free
the mbuf twice.  Currently this can happen only if the interface is
brought down or due to a packet loop.

Reported by:	Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by:	pouria, zlei
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56944
This commit is contained in:
Mark Johnston
2026-05-12 17:50:15 +00:00
parent 8b4b995eff
commit a6c4fe2d1a
+1 -2
View File
@@ -2876,8 +2876,7 @@ vxlan_input(struct vxlan_socket *vso, uint32_t vni, struct mbuf **m0,
ifp = sc->vxl_ifp;
if (m->m_len < ETHER_HDR_LEN &&
(m = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
*m0 = NULL;
(m = *m0 = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
error = ENOBUFS;
goto out;
}