From db4d2d7222ee1c03ade4eb3b82e263ce5c94cf61 Mon Sep 17 00:00:00 2001
From: Randall Stewart <rrs@FreeBSD.org>
Date: Fri, 16 Jul 2021 13:59:57 -0400
Subject: [PATCH] tcp: When rack or bbr get a pullup failure in the common
 code, don't free the NULL mbuf.

There is a bug in the error path where rack_bbr_common does a m_pullup() and the pullup fails.
There is a stray mfree(m) after m is set to NULL. This is not a good idea :-)

Reviewed by: tuexen
Sponsored by: Netflix Inc.
Differential Revision: https://reviews.freebsd.org/D31194
---
 sys/netinet/tcp_stacks/rack_bbr_common.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c b/sys/netinet/tcp_stacks/rack_bbr_common.c
index d9f48f733e9..baa267b4375 100644
--- a/sys/netinet/tcp_stacks/rack_bbr_common.c
+++ b/sys/netinet/tcp_stacks/rack_bbr_common.c
@@ -210,7 +210,6 @@ ctf_get_enet_type(struct ifnet *ifp, struct mbuf *m)
 				m = m_pullup(m, sizeof(*ip6) + sizeof(*th));
 				if (m == NULL) {
 					KMOD_TCPSTAT_INC(tcps_rcvshort);
-					m_freem(m);
 					return (-1);
 				}
 			}
@@ -243,7 +242,6 @@ ctf_get_enet_type(struct ifnet *ifp, struct mbuf *m)
 				m = m_pullup(m, sizeof (struct tcpiphdr));
 				if (m == NULL) {
 					KMOD_TCPSTAT_INC(tcps_rcvshort);
-					m_freem(m);
 					return (-1);
 				}
 			}