git: a1ecbc570117 - main - pf: fix use-after-free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 25 Mar 2024 04:44:50 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=a1ecbc57011758257b85c3e9f51efc93ac93169d
commit a1ecbc57011758257b85c3e9f51efc93ac93169d
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-03-23 16:02:50 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-03-25 04:44:23 +0000
pf: fix use-after-free
If we fragment the packet in pf_route() the first transmitted packet
will free the pf_mtag we have stored in pf_pdesc (pd). Ensure we
update that pointer for every packet to avoid using a freed pointer in
pf_dummynet_route().
Reported by: CI KASAN, markj
MFC after: 1 week
---
sys/netpfil/pf/pf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index d7536e44623e..50dc67b72439 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7450,6 +7450,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
if (error == 0) {
m_clrprotoflags(m0);
md = m0;
+ pd->pf_mtag = pf_find_mtag(md);
error = pf_dummynet_route(pd, s, r, ifp,
sintosa(&dst), &md);
if (md != NULL)