git: faec43a79bf9 - stable/13 - pf: avoid use-after-free on reassembly

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 20 Jan 2025 16:27:52 UTC
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=faec43a79bf9a43ac3e2bc3e1de244dd31868dd3

commit faec43a79bf9a43ac3e2bc3e1de244dd31868dd3
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-20 07:11:14 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-20 16:17:10 +0000

    pf: avoid use-after-free on reassembly
    
    Ensure we update the mbuf pointer returned by pf_normalize_ip() or
    pf_normalize_ip6() even if they fail.
    Otherwise we'd risk using a freed mbuf.
    
    PR:             283705
    Reported by:    Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 5d28f4cab8d5919aba1365e885a91a96c0655b59)
---
 sys/netpfil/pf/pf.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index e5cd0b83ac0c..b5f872d40b02 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7468,6 +7468,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
 			pd.pf_mtag->flags &= ~PF_FASTFWD_OURS_PRESENT;
 		}
 	} else if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) {
+		m = *m0;
 		/* We do IP header normalization and packet reassembly here */
 		action = PF_DROP;
 		goto done;
@@ -7679,6 +7680,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
 
 done:
 	PF_RULES_RUNLOCK();
+
+	if (m == NULL)
+		goto out;
+
 	if (action == PF_PASS && h->ip_hl > 5 &&
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
@@ -7936,6 +7941,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
 
 	/* We do IP header normalization and packet reassembly here */
 	if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) {
+		m = *m0;
 		action = PF_DROP;
 		goto done;
 	}
@@ -8210,6 +8216,9 @@ done:
 		n = NULL;
 	}
 
+	if (m == NULL)
+		goto out;
+
 	/* handle dangerous IPv6 extension headers. */
 	if (action == PF_PASS && rh_cnt &&
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {