git: a1ecbc570117 - main - pf: fix use-after-free

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 25 Mar 2024 04:44:50 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a1ecbc57011758257b85c3e9f51efc93ac93169d

commit a1ecbc57011758257b85c3e9f51efc93ac93169d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-03-23 16:02:50 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-03-25 04:44:23 +0000

    pf: fix use-after-free
    
    If we fragment the packet in pf_route() the first transmitted packet
    will free the pf_mtag we have stored in pf_pdesc (pd). Ensure we
    update that pointer for every packet to avoid using a freed pointer in
    pf_dummynet_route().
    
    Reported by:    CI KASAN, markj
    MFC after:      1 week
---
 sys/netpfil/pf/pf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index d7536e44623e..50dc67b72439 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7450,6 +7450,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
 		if (error == 0) {
 			m_clrprotoflags(m0);
 			md = m0;
+			pd->pf_mtag = pf_find_mtag(md);
 			error = pf_dummynet_route(pd, s, r, ifp,
 			    sintosa(&dst), &md);
 			if (md != NULL)