if_vxlan: Update *m0 after a pullup
vxlan_input()'s caller is supposed to free *m0 if it is non-NULL after the function returns. vxlan_input() failed to update *m0 after the pullup however, so if it hits an error case after the pullup, we'll free the mbuf twice. Currently this can happen only if the interface is brought down or due to a packet loop. Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai Reviewed by: pouria, zlei MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D56944
This commit is contained in:
+1
-2
@@ -2876,8 +2876,7 @@ vxlan_input(struct vxlan_socket *vso, uint32_t vni, struct mbuf **m0,
|
||||
|
||||
ifp = sc->vxl_ifp;
|
||||
if (m->m_len < ETHER_HDR_LEN &&
|
||||
(m = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
|
||||
*m0 = NULL;
|
||||
(m = *m0 = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
|
||||
error = ENOBUFS;
|
||||
goto out;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user