svn commit: r209796 - stable/8/sys/netgraph

[Gleb Smirnoff]

Author: glebius
Date: Thu Jul  8 12:21:25 2010
New Revision: 209796
URL: http://svn.freebsd.org/changeset/base/209796

Log:
  Merge 209633, 209722 from head:
  
    The struct ipfw_rule_ref follows the struct m_tag. Deal with this
    correctly. This fixes breakage of ng_ipfw(4) in r201527.
  
  Submitted by:	Alexander Zagrebin <alexz visp.ru>
  
    Avoid double-free. In error cases ipfw(4) frees the mbuf(4), we don't
    need to.
  
  PR:		kern/145462

Modified:
  stable/8/sys/netgraph/ng_ipfw.c

Modified: stable/8/sys/netgraph/ng_ipfw.c
==============================================================================
--- stable/8/sys/netgraph/ng_ipfw.c	Thu Jul  8 12:20:15 2010	(r209795)
+++ stable/8/sys/netgraph/ng_ipfw.c	Thu Jul  8 12:21:25 2010	(r209796)
@@ -221,20 +221,21 @@ ng_ipfw_findhook1(node_p node, u_int16_t
 static int
 ng_ipfw_rcvdata(hook_p hook, item_p item)
 {
-	struct ipfw_rule_ref	*tag;
+	struct m_tag *tag;
+	struct ipfw_rule_ref *r;
 	struct mbuf *m;
 
 	NGI_GET_M(item, m);
 	NG_FREE_ITEM(item);
 
-	tag = (struct ipfw_rule_ref *)
-		m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
+	tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
 	if (tag == NULL) {
 		NG_FREE_M(m);
 		return (EINVAL);	/* XXX: find smth better */
 	};
 
-	if (tag->info & IPFW_INFO_IN) {
+	r = (struct ipfw_rule_ref *)(tag + 1);
+	if (r->info & IPFW_INFO_IN) {
 		ip_input(m);
 		return (0);
 	} else {
@@ -264,11 +265,8 @@ ng_ipfw_input(struct mbuf **m0, int dir,
 	 * Node must be loaded and corresponding hook must be present.
 	 */
 	if (fw_node == NULL || 
-	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) {
-		if (tee == 0)
-			m_freem(*m0);
+	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
 		return (ESRCH);		/* no hook associated with this rule */
-	}
 
 	/*
 	 * We have two modes: in normal mode we add a tag to packet, which is