svn commit: r296302 - head/sys/net80211
Mark Johnston
markj at FreeBSD.org
Wed Mar 2 05:01:59 UTC 2016
Author: markj
Date: Wed Mar 2 05:01:58 2016
New Revision: 296302
URL: https://svnweb.freebsd.org/changeset/base/296302
Log:
Use m_catpkt(9) to avoid a possible use-after-free in ieee80211_defrag().
m is not guaranteed to be valid after m_cat() returns. The effects of this
are most noticeable when INVARIANTS is enabled, since m's header length
field is given a value of 0xdeadc0de by the trash dtor.
Reviewed by: glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D5497
Modified:
head/sys/net80211/ieee80211_input.c
Modified: head/sys/net80211/ieee80211_input.c
==============================================================================
--- head/sys/net80211/ieee80211_input.c Wed Mar 2 04:58:51 2016 (r296301)
+++ head/sys/net80211/ieee80211_input.c Wed Mar 2 05:01:58 2016 (r296302)
@@ -249,9 +249,7 @@ ieee80211_defrag(struct ieee80211_node *
mfrag = m;
} else { /* concatenate */
m_adj(m, hdrspace); /* strip header */
- m_cat(mfrag, m);
- /* NB: m_cat doesn't update the packet header */
- mfrag->m_pkthdr.len += m->m_pkthdr.len;
+ m_catpkt(mfrag, m);
/* track last seqnum and fragno */
lwh = mtod(mfrag, struct ieee80211_frame *);
*(uint16_t *) lwh->i_seq = *(uint16_t *) wh->i_seq;
More information about the svn-src-head
mailing list