aboutsummaryrefslogtreecommitdiff
path: root/sys/netgraph/ng_ppp.c
diff options
context:
space:
mode:
authorArchie Cobbs <archie@FreeBSD.org>2003-03-05 23:12:59 +0000
committerArchie Cobbs <archie@FreeBSD.org>2003-03-05 23:12:59 +0000
commit2b2a8188b1eba59f74780a5f0ad1d130d39cfd2e (patch)
treedcfdb95dddbf10c22b77052aafd091a6d7617946 /sys/netgraph/ng_ppp.c
parent31eac03b4b27bc886f0568d8179dc9c2c4775339 (diff)
downloadsrc-2b2a8188b1eba59f74780a5f0ad1d130d39cfd2e.tar.gz
src-2b2a8188b1eba59f74780a5f0ad1d130d39cfd2e.zip
Fix a use-after-free bug that could cause multi-link fragment reassembly to
fail for a long time (until the incoming sequence numbers wrapped around). Reported by: Matthew Impett <mimpett@Glue.umd.edu> MFC after: 3 days
Notes
Notes: svn path=/head/; revision=111934
Diffstat (limited to 'sys/netgraph/ng_ppp.c')
-rw-r--r--sys/netgraph/ng_ppp.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netgraph/ng_ppp.c b/sys/netgraph/ng_ppp.c
index 6ffb0829d65b..6dfa4a4ac74b 100644
--- a/sys/netgraph/ng_ppp.c
+++ b/sys/netgraph/ng_ppp.c
@@ -1418,6 +1418,7 @@ ng_ppp_frag_checkstale(node_p node)
meta_p meta;
int i, seq;
item_p item;
+ int endseq;
now.tv_sec = 0; /* uninitialized state */
while (1) {
@@ -1468,11 +1469,12 @@ ng_ppp_frag_checkstale(node_p node)
}
/* Extract completed packet */
+ endseq = end->seq;
ng_ppp_get_packet(node, &m, &meta);
/* Bump MSEQ if necessary */
- if (MP_RECV_SEQ_DIFF(priv, priv->mseq, end->seq) < 0) {
- priv->mseq = end->seq;
+ if (MP_RECV_SEQ_DIFF(priv, priv->mseq, endseq) < 0) {
+ priv->mseq = endseq;
for (i = 0; i < priv->numActiveLinks; i++) {
struct ng_ppp_link *const alink =
&priv->links[priv->activeLinks[i]];
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-21 02:36:42 +0000