git: 07a3501e6c85 - main - loopback: fix use-after-free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 21 Apr 2026 11:32:54 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=07a3501e6c85baa4236061f8af4c2772307835f4
commit 07a3501e6c85baa4236061f8af4c2772307835f4
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-21 09:19:26 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-04-21 09:51:29 +0000
loopback: fix use-after-free
Once we hand an mbuf over to netisr_queue() we may no longer access it.
Save the length before the call so we can use it to increment counters
afterwards.
Fixes: 956acdce0505 ("loopback: Account for packet drops")
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/if_loop.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/net/if_loop.c b/sys/net/if_loop.c
index 2ff265d5d1e7..33ddd3a8540e 100644
--- a/sys/net/if_loop.c
+++ b/sys/net/if_loop.c
@@ -276,6 +276,7 @@ int
if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
{
int isr;
+ int32_t len;
M_ASSERTPKTHDR(m);
m_tag_delete_nonpersistent(m);
@@ -350,9 +351,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen)
m_freem(m);
return (EAFNOSUPPORT);
}
+ len = m->m_pkthdr.len;
if (netisr_queue(isr, m) == 0) {
if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
- if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
+ if_inc_counter(ifp, IFCOUNTER_IBYTES, len);
} else {
/* mbuf is free'd on failure. */
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);