git: d60082f16e4c - main - pf: avoid NULL deref on purged states
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 18 Feb 2026 22:26:50 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=d60082f16e4c91d4b97d8b3b56b39fa348ecfbda
commit d60082f16e4c91d4b97d8b3b56b39fa348ecfbda
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-02-18 18:23:42 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-02-18 20:22:53 +0000
pf: avoid NULL deref on purged states
States can be invalidated and still be present in the state table for a
while (until the pf_purge thread cleans them up). These states might not
have keys set, so we must make sure a state is not purged before we try
to access those keys.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b7c79437584e..90342f045763 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -2226,8 +2226,10 @@ pf_find_state(struct pf_pdesc *pd, const struct pf_state_key_cmp *key,
/* Look through the other list, in case of AF-TO */
idx = idx == PF_SK_WIRE ? PF_SK_STACK : PF_SK_WIRE;
TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) {
- if (s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af)
+ if (s->timeout < PFTM_MAX &&
+ s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af)
continue;
+
if (s->kif == V_pfi_all || s->kif == pd->kif ||
s->orig_kif == pd->kif) {
PF_STATE_LOCK(s);