[Bug 283426] panic in sbappendaddr_locked() - if_ovpn related?
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Apr 2025 12:26:50 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283426
--- Comment #18 from commit-hook@FreeBSD.org ---
A commit in branch stable/14 references this bug:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1463d5ff13164362f0825c4613dcb4eb42a7396c
commit 1463d5ff13164362f0825c4613dcb4eb42a7396c
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-01 13:19:26 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-15 07:27:09 +0000
if_ovpn: fix use-after-free of mbuf
m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's
for
an unknown peer) the caller (udp_append()) continues with the old 'm'
pointer,
eventually resulting in a use-after-free.
Re-order operations in ovpn_udp_input() so that we don't modify the 'm'
pointer
until we're committed to keeping the packet.
PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0)
sys/net/if_ovpn.c | 12 +++---
tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 6 deletions(-)
--
You are receiving this mail because:
You are the assignee for the bug.