git: 2fed983ceb66 - stable/14 - pf: fix use-after-free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Apr 2024 07:34:36 UTC
The branch stable/14 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=2fed983ceb6678fbe2facb20627248a5fae6cf7a
commit 2fed983ceb6678fbe2facb20627248a5fae6cf7a
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-03-23 16:02:50 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-04-01 07:33:32 +0000
pf: fix use-after-free
If we fragment the packet in pf_route() the first transmitted packet
will free the pf_mtag we have stored in pf_pdesc (pd). Ensure we
update that pointer for every packet to avoid using a freed pointer in
pf_dummynet_route().
Reported by: CI KASAN, markj
MFC after: 1 week
(cherry picked from commit a1ecbc57011758257b85c3e9f51efc93ac93169d)
---
sys/netpfil/pf/pf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index e19370cc7333..b0b0a02afaf4 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7374,6 +7374,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp,
if (error == 0) {
m_clrprotoflags(m0);
md = m0;
+ pd->pf_mtag = pf_find_mtag(md);
error = pf_dummynet_route(pd, s, r, ifp,
sintosa(&dst), &md);
if (md != NULL)