svn commit: r232663 - projects/pf/head/sys/contrib/pf/net

[Gleb Smirnoff]

Author: glebius
Date: Wed Mar  7 18:18:24 2012
New Revision: 232663
URL: http://svn.freebsd.org/changeset/base/232663

Log:
  Ugly fix for a double free possible after r232656.

Modified:
  projects/pf/head/sys/contrib/pf/net/pf.c

Modified: projects/pf/head/sys/contrib/pf/net/pf.c
==============================================================================
--- projects/pf/head/sys/contrib/pf/net/pf.c	Wed Mar  7 18:13:33 2012	(r232662)
+++ projects/pf/head/sys/contrib/pf/net/pf.c	Wed Mar  7 18:18:24 2012	(r232663)
@@ -723,12 +723,9 @@ pf_state_key_attach(struct pf_state_key 
 				}
 			}
 		/*
-		 * Collided key may be the same we are trying to attach,
-		 * this happens for non-NAT states, they are attached
-		 * twice: via PF_SK_WIRE and PF_SK_STACK tailqs.
+		 * Collided key is later freed in pf_state_insert().
+		 * XXXGL: should be redesigned.
 		 */
-		if (cur != sk)
-			uma_zfree(V_pf_state_key_z, sk);
 		s->key[idx] = cur;
 	} else
 		s->key[idx] = sk;
@@ -835,12 +832,19 @@ pf_state_insert(struct pfi_kif *kif, str
 		PF_KEYS_UNLOCK();
 		return (-1);
 	}
+
+	if (s->key[PF_SK_WIRE] != skw && skw != sks)
+		uma_zfree(V_pf_state_key_z, skw);
+
 	if (pf_state_key_attach(sks, s, PF_SK_STACK)) {
 		pf_state_key_detach(s, PF_SK_WIRE);
 		PF_KEYS_UNLOCK();
 		return (-1);
 	}
 
+	if (s->key[PF_SK_STACK] != sks && s->key[PF_SK_WIRE] != sks)
+		uma_zfree(V_pf_state_key_z, sks);
+
 	if (s->id == 0 && s->creatorid == 0) {
 		s->id = htobe64(V_pf_status.stateid++);
 		s->creatorid = V_pf_status.hostid;