CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	gjb <gjb@FreeBSD.org>
	Thu, 30 Jul 2015 16:06:13 +0000 (16:06 +0000)
committer	gjb <gjb@FreeBSD.org>
	Thu, 30 Jul 2015 16:06:13 +0000 (16:06 +0000)
commit	d83a2c49a324ab3f027965a6ff12e3e114983c04
tree	9d71d848c00154c3ae0acbd3f59895134a986f6f	tree \| snapshot
parent	519cc2faa26022a5534ebed0a9ebba8553d8ca4f	commit \| diff

MFC r285999 (kp):
  pf: Always initialise pf_fragment.fr_flags

  When we allocate the struct pf_fragment in pf_fillup_fragment() we
  forgot to initialise the fr_flags field. As a result we sometimes
  mistakenly thought the fragment to not be a buffered fragment.
  This resulted in panics because we'd end up freeing the pf_fragment
  but not removing it from V_pf_fragqueue (believing it to be part of
  V_pf_cachequeue).  The next time we iterated V_pf_fragqueue we'd use
  a freed object and panic.

  While here also fix a pf_fragment use after free in pf_normalize_ip().
  pf_reassemble() frees the pf_fragment, so we can't use it any more.

X-MFS-To: releng/10.2
Sponsored by: The FreeBSD Foundation