From 72ae530b1ed9ee170ede8ceeb2fa8b907b7d680e Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 7 Mar 2024 14:49:47 +0000 Subject: [PATCH] Fix possible double free in error path of ixgbe_rxeof. If fmp is not-NULL then the buf is part of the mbuf chain of fmp. So only m_freem either fmp or buf but clear both values. Also clear the M_PKTHDR flag if buf aka mp is not the first buffer in the chain. Double free found by bluhm@ OK bluhm@ jan@ --- sys/dev/pci/if_ix.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sys/dev/pci/if_ix.c b/sys/dev/pci/if_ix.c index c623bb50938..fa1c5681949 100644 --- a/sys/dev/pci/if_ix.c +++ b/sys/dev/pci/if_ix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_ix.c,v 1.209 2024/02/15 10:56:53 mglocker Exp $ */ +/* $OpenBSD: if_ix.c,v 1.210 2024/03/07 14:49:47 claudio Exp $ */ /****************************************************************************** @@ -3174,10 +3174,10 @@ ixgbe_rxeof(struct rx_ring *rxr) if (staterr & IXGBE_RXDADV_ERR_FRAME_ERR_MASK) { if (rxbuf->fmp) { m_freem(rxbuf->fmp); - rxbuf->fmp = NULL; + } else { + m_freem(mp); } - - m_freem(mp); + rxbuf->fmp = NULL; rxbuf->buf = NULL; goto next_desc; } @@ -3224,6 +3224,8 @@ ixgbe_rxeof(struct rx_ring *rxr) sendmp = mp; sendmp->m_pkthdr.len = 0; sendmp->m_pkthdr.ph_mss = 0; + } else { + mp->m_flags &= ~M_PKTHDR; } sendmp->m_pkthdr.len += mp->m_len; /* -- 2.20.1