git: 7d38eb720a8d - main - routing: Fix use-after-free in finalize_nhop
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 14 Apr 2026 10:33:53 UTC
The branch main has been updated by pouria:
URL: https://cgit.FreeBSD.org/src/commit/?id=7d38eb720a8d8345949986d779e785984ae19ae0
commit 7d38eb720a8d8345949986d779e785984ae19ae0
Author: Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-04-14 09:36:53 +0000
Commit: Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-04-14 10:32:56 +0000
routing: Fix use-after-free in finalize_nhop
FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
`nh->nh_priv->nh_upper_family` for failure logging.
Call FIB_NH_LOG before freeing nh so failures are logged
without causing a panic.
MFC after: 3 days
---
sys/net/route/nhop_ctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c
index 6c03e621ed82..52e7b0fefcd2 100644
--- a/sys/net/route/nhop_ctl.c
+++ b/sys/net/route/nhop_ctl.c
@@ -491,17 +491,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link)
/* Allocate per-cpu packet counter */
nh->nh_pksent = counter_u64_alloc(M_NOWAIT);
if (nh->nh_pksent == NULL) {
+ FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed");
nhop_free(nh);
RTSTAT_INC(rts_nh_alloc_failure);
- FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed");
return (ENOMEM);
}
if (!reference_nhop_deps(nh)) {
+ FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed");
counter_u64_free(nh->nh_pksent);
nhop_free(nh);
RTSTAT_INC(rts_nh_alloc_failure);
- FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed");
return (EAGAIN);
}