On 11.03.2015 11:39, Kristof Provost wrote: > The pf code in pf_route6() neglected to set the mbuf pointer to NULL > after the call to ip6_output(). As a result we end up trying to continue > processing on an mbuf which has already been freed. > --- > sys/netpfil/pf/pf.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c > index b32288b..7c3ddb8 100644 > --- a/sys/netpfil/pf/pf.c > +++ b/sys/netpfil/pf/pf.c > @@ -5470,6 +5470,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, > struct ifnet *oifp, > PF_STATE_UNLOCK(s); > m0->m_flags |= M_SKIP_FIREWALL; > ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); > + *m = NULL; > return; > }
It looks like there are some code paths that do a copy of original mbuf. Are you sure this doesn't introduce mbuf leak? -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
