HomeFreeBSD

divert: Fix mbuf ownership confusion in div_output()

Description

divert: Fix mbuf ownership confusion in div_output()

div_output_outbound() and div_output_inbound() relied on the caller to
free the mbuf if an error occurred. However, this is contrary to the
semantics of their callees, ip_output(), ip6_output() and
netisr_queue_src(), which always consume the mbuf. So, if one of these
functions returned an error, that would get propagated up to
div_output(), resulting in a double free.

Fix the problem by making div_output_outbound() and div_output_inbound()
responsible for freeing the mbuf in all cases.

Reported by: Michael Schmiedgen <schmiedgen@gmx.net>
Tested by: Michael Schmiedgen
Reviewed by: donner
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30129

Details

Provenance
markjAuthored on May 7 2021, 6:27 PM
Reviewer
donner
Differential Revision
D30129: divert: Fix mbuf ownership confusion in div_output()
Parents
rG831850d8b087: stack(9): Disable KASAN in stack_capture()
Branches
Unknown
Tags
Unknown