git: a1ecbc570117 - main - pf: fix use-after-free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 25 Mar 2024 04:44:50 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a1ecbc57011758257b85c3e9f51efc93ac93169d commit a1ecbc57011758257b85c3e9f51efc93ac93169d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-03-23 16:02:50 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-03-25 04:44:23 +0000 pf: fix use-after-free If we fragment the packet in pf_route() the first transmitted packet will free the pf_mtag we have stored in pf_pdesc (pd). Ensure we update that pointer for every packet to avoid using a freed pointer in pf_dummynet_route(). Reported by: CI KASAN, markj MFC after: 1 week --- sys/netpfil/pf/pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index d7536e44623e..50dc67b72439 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7450,6 +7450,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, if (error == 0) { m_clrprotoflags(m0); md = m0; + pd->pf_mtag = pf_find_mtag(md); error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); if (md != NULL)