From nobody@www.freebsd.org  Thu Jun 20 05:47:53 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 1BF5C37B405
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jun 2002 05:47:53 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5KClqhG025776
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jun 2002 05:47:52 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5KClqVC025775;
	Thu, 20 Jun 2002 05:47:52 -0700 (PDT)
Message-Id: <200206201247.g5KClqVC025775@www.freebsd.org>
Date: Thu, 20 Jun 2002 05:47:52 -0700 (PDT)
From: Alex Ai <alexai709@msn.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: free NULL mbuf in function icmp_errer()
X-Send-Pr-Version: www-1.0

>Number:         39571
>Category:       kern
>Synopsis:       free NULL mbuf in function icmp_errer()
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 20 05:50:03 PDT 2002
>Closed-Date:    Sun Jun 23 10:43:49 PDT 2002
>Last-Modified:  Sun Jun 23 10:43:49 PDT 2002
>Originator:     Alex Ai
>Release:        4.5
>Organization:
broadi. Ltd
>Environment:
>Description:
try to free already freed or NULL mbuf pointer in function icmp_errer()@/sys/netinet/ip_icmp.c: which cause system halt
;;;
m_free(m);
goto freeit;
;;;
if(m==NULL)
goto freeit;
freeit:
m_free(m);

>How-To-Repeat:
      see the code
>Fix:
      not to free it twice. just return. :-)
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: iedowse 
State-Changed-When: Thu Jun 20 06:44:01 PDT 2002 
State-Changed-Why:  

I think you have misread the code. The mbuf chain 'n' being freed 
is not the same as the one 'm' that is tested for NULL. Also, if 
you look at the code for m_freem() you will see that it is safe to 
call it with a NULL argument anyway (icmp_error calls m_freem(), 
not m_free() at the freeit label). 

Can you confirm that you just misread the code so that this problem 
report can be closed? If you have seen a panic that you believe was 
caused by a bug here, please post a stack trace. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39571 
State-Changed-From-To: feedback->closed 
State-Changed-By: iedowse 
State-Changed-When: Sun Jun 23 10:38:01 PDT 2002 
State-Changed-Why:  

Submitter confirmed that the reported bug does not exist; the real 
problem was a bug in local kernel modifications. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39571 
>Unformatted:
