CVS commit: src/sys/net

[Maxime Villard]

Module Name:    src
Committed By:   maxv
Date:           Wed Feb  1 17:58:47 UTC 2017

Modified Files:
        src/sys/net: if_pppoe.c

Log Message:
Not sure what we are trying to achieve here, but there are two issues;
error can be printed while it is not initialized, and if m_pulldown fails
m is freed and reused.

Quickly reviewed by christos and martin


To generate a diff of this commit:
cvs rdiff -u -r1.123 -r1.124 src/sys/net/if_pppoe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_pppoe.c
diff -u src/sys/net/if_pppoe.c:1.123 src/sys/net/if_pppoe.c:1.124
--- src/sys/net/if_pppoe.c:1.123	Tue Dec 27 01:31:06 2016
+++ src/sys/net/if_pppoe.c	Wed Feb  1 17:58:47 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: if_pppoe.c,v 1.123 2016/12/27 01:31:06 christos Exp $ */
+/* $NetBSD: if_pppoe.c,v 1.124 2017/02/01 17:58:47 maxv Exp $ */
 
 /*-
  * Copyright (c) 2002, 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.123 2016/12/27 01:31:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.124 2017/02/01 17:58:47 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pppoe.h"
@@ -621,19 +621,21 @@ pppoe_dispatch_disc_pkt(struct mbuf *m, 
 		case PPPOE_TAG_ACNAME:
 			error = NULL;
 			if (sc != NULL && len > 0) {
-				error = malloc(len+1, M_TEMP, M_NOWAIT);
-				if (error) {
-					n = m_pulldown(m, off + sizeof(*pt),
-					    len, &noff);
-					if (n) {
-						strlcpy(error,
-						    mtod(n, char*) + noff,
-						    len);
-					}
-					printf("%s: connected to %s\n",
-					    devname, error);
+				error = malloc(len + 1, M_TEMP, M_NOWAIT);
+				if (error == NULL)
+					break;
+
+				n = m_pulldown(m, off + sizeof(*pt), len,
+				    &noff);
+				if (!n) {
+					m = NULL;
 					free(error, M_TEMP);
+					goto done;
 				}
+
+				strlcpy(error, mtod(n, char*) + noff, len + 1);
+				printf("%s: connected to %s\n", devname, error);
+				free(error, M_TEMP);
 			}
 			break;	/* ignored */
 		case PPPOE_TAG_HUNIQUE: {
@@ -704,12 +706,15 @@ pppoe_dispatch_disc_pkt(struct mbuf *m, 
 		if (err_msg) {
 			error = NULL;
 			if (errortag && len) {
-				error = malloc(len+1, M_TEMP, M_NOWAIT);
+				error = malloc(len + 1, M_TEMP,
+				    M_NOWAIT|M_ZERO);
 				n = m_pulldown(m, off + sizeof(*pt), len,
 				    &noff);
-				if (n && error) {
-					strlcpy(error, 
-					    mtod(n, char *) + noff, len);
+				if (!n) {
+					m = NULL;
+				} else if (error) {
+					strlcpy(error, mtod(n, char *) + noff,
+					    len + 1);
 				}
 			}
 			if (error) {