[src/trunk]: src/sys/netipsec ipsec4_fixup_checksum calls m_pullup, so don't ...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/f411a1b93725
branches:  trunk
changeset: 358980:f411a1b93725
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 24 14:01:40 2018 +0000

description:
ipsec4_fixup_checksum calls m_pullup, so don't forget to do mtod() again,
to prevent use-after-free.

In fact, the m_pullup call is never reached: it is impossible for 'skip'
to be zero in this function, so add an XXX for now.

diffstat:

 sys/netipsec/ipsec_input.c |  6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diffs (34 lines):

diff -r 09f3eb4878c5 -r f411a1b93725 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Wed Jan 24 13:57:37 2018 +0000
+++ b/sys/netipsec/ipsec_input.c        Wed Jan 24 14:01:40 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.53 2018/01/23 02:21:49 ozaki-r Exp $ */
+/*     $NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $    */
 /*     $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.53 2018/01/23 02:21:49 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.54 2018/01/24 14:01:40 maxv Exp $");
 
 /*
  * IPsec input processing.
@@ -370,6 +370,7 @@
                ip->ip_sum = 0;
                ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
        } else {
+               /* XXX this branch is never taken */
                ip = mtod(m, struct ip *);
        }
 
@@ -381,6 +382,7 @@
        m = ipsec4_fixup_checksum(m);
        if (m == NULL)
                goto cantpull;
+       ip = mtod(m, struct ip *);
 
        prot = ip->ip_p;