From 56b3d8393e8f7d2e6bbd7753e2c8e3e5925f9b11 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Mar 2016 07:05:19 +0100
Subject: [PATCH] netgraph: prevent panic during attach to-non ethernet devices

This code will be purged with 16.7, but for now we tighten the
it to prevent panics that surfaced after cleaning up defunct
code paths in the legacy VPN area of the GUI.  Userland must
not be able to produce panics...

PR: https://forum.opnsense.org/index.php?topic=2385
---
 sys/netgraph/ng_base.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sys/netgraph/ng_base.c b/sys/netgraph/ng_base.c
index 026c98309fb..a42f690daaf 100644
--- a/sys/netgraph/ng_base.c
+++ b/sys/netgraph/ng_base.c
@@ -2923,10 +2923,15 @@ ng_generic_msg(node_p here, item_p item, hook_p lasthook)
 
 	case NGM_ETHER_ATTACH:
 		{
-			struct ifnet *ifp;
-			ifp = ifunit((char *)msg->data);
-			if (ifp && ng_ether_attach_p != NULL) {
-				ng_ether_attach_p(ifp);
+			struct ifnet *ifp = ifunit((char *)msg->data);
+
+			if (ng_ether_attach_p) {
+				if (ifp && (ifp->if_type == IFT_ETHER ||
+				    && ifp->if_type == IFT_L2VLAN)) {
+					ng_ether_attach_p(ifp);
+				} else {
+					error = ENOENT;
+				}
 			}
 				
 			break;