git: 81385f622037 - stable/13 - pf: handle divert packets
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 30 Nov 2025 10:30:58 UTC
The branch stable/13 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=81385f622037a5b78fd4f8046163367fa607d37a
commit 81385f622037a5b78fd4f8046163367fa607d37a
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-11-15 13:44:54 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-11-29 20:02:00 +0000
pf: handle divert packets
In a divert setup pf_test_state() may return PF_PASS, but not set the state
pointer. We didn't handle that, and as a result crashed immediately afterwards
trying to dereference that NULL state pointer.
Add a test case to provoke the problem.
PR: 260867
MFC after: 2 weeks
Submitted by: Phil Budne <phil.budne@gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 66f2f1c83247f05a3a599d7e88c7e7efbedd16b5)
---
sys/netpfil/pf/pf.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 298793e6228e..16ce78560e2d 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7552,11 +7552,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd,
&reason);
if (action == PF_PASS) {
- if (V_pfsync_update_state_ptr != NULL)
- V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
- log = s->log;
+ if (s != NULL) {
+ if (V_pfsync_update_state_ptr != NULL)
+ V_pfsync_update_state_ptr(s);
+ r = s->rule.ptr;
+ a = s->anchor.ptr;
+ log = s->log;
+ }
} else if (s == NULL) {
/* Validate remote SYN|ACK, re-create original SYN if
* valid. */
@@ -7612,11 +7614,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *
}
action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd);
if (action == PF_PASS) {
- if (V_pfsync_update_state_ptr != NULL)
- V_pfsync_update_state_ptr(s);
- r = s->rule.ptr;
- a = s->anchor.ptr;
- log = s->log;
+ if (s != NULL) {
+ if (V_pfsync_update_state_ptr != NULL)
+ V_pfsync_update_state_ptr(s);
+ r = s->rule.ptr;
+ a = s->anchor.ptr;
+ log = s->log;
+ }
} else if (s == NULL)
action = pf_test_rule(&r, &s, dir, kif, m, off, &pd,
&a, &ruleset, inp);