igmp: Avoid leaving dangling pointers in the state-change queue

When igmp_v3_merge_state_changes() is iterating over state-change
packets, there is a case where it'll free a queued packet but will fail
to remove it from the queue.  Fix that.

Reported by:	Yuxiang Yang, Yizhou Zhao, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM5.1 from Z.ai
Reviewed by:	pouria, glebius
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56947
This commit is contained in:
Mark Johnston
2026-05-12 17:53:49 +00:00
parent a6c4fe2d1a
commit beab4a237a
2 changed files with 13 additions and 3 deletions
+5 -3
View File
@@ -3326,10 +3326,12 @@ igmp_v3_merge_state_changes(struct in_multi *inm, struct mbufq *scq)
CTR2(KTR_IGMPV3,
"%s: outbound queue full, skipping whole packet %p",
__func__, m);
mt = m->m_nextpkt;
if (!docopy)
m0 = m->m_nextpkt;
if (!docopy) {
mbufq_remove(gq, m);
m_freem(m);
m = mt;
}
m = m0;
continue;
}
+8
View File
@@ -1656,6 +1656,14 @@ mbufq_enqueue(struct mbufq *mq, struct mbuf *m)
return (0);
}
static inline void
mbufq_remove(struct mbufq *mq, struct mbuf *m)
{
STAILQ_REMOVE(&mq->mq_head, m, mbuf, m_stailqpkt);
mq->mq_len--;
}
static inline struct mbuf *
mbufq_dequeue(struct mbufq *mq)
{