igmp: Avoid leaving dangling pointers in the state-change queue
When igmp_v3_merge_state_changes() is iterating over state-change packets, there is a case where it'll free a queued packet but will fail to remove it from the queue. Fix that. Reported by: Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai Reviewed by: pouria, glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D56947
This commit is contained in:
+5
-3
@@ -3326,10 +3326,12 @@ igmp_v3_merge_state_changes(struct in_multi *inm, struct mbufq *scq)
|
||||
CTR2(KTR_IGMPV3,
|
||||
"%s: outbound queue full, skipping whole packet %p",
|
||||
__func__, m);
|
||||
mt = m->m_nextpkt;
|
||||
if (!docopy)
|
||||
m0 = m->m_nextpkt;
|
||||
if (!docopy) {
|
||||
mbufq_remove(gq, m);
|
||||
m_freem(m);
|
||||
m = mt;
|
||||
}
|
||||
m = m0;
|
||||
continue;
|
||||
}
|
||||
|
||||
|
||||
@@ -1656,6 +1656,14 @@ mbufq_enqueue(struct mbufq *mq, struct mbuf *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
static inline void
|
||||
mbufq_remove(struct mbufq *mq, struct mbuf *m)
|
||||
{
|
||||
|
||||
STAILQ_REMOVE(&mq->mq_head, m, mbuf, m_stailqpkt);
|
||||
mq->mq_len--;
|
||||
}
|
||||
|
||||
static inline struct mbuf *
|
||||
mbufq_dequeue(struct mbufq *mq)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user