[PATCH] Fix panic with pf fastroute
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Mar 11 09:51:33 UTC 2015
On 11.03.2015 11:39, Kristof Provost wrote:
> The pf code in pf_route6() neglected to set the mbuf pointer to NULL
> after the call to ip6_output(). As a result we end up trying to continue
> processing on an mbuf which has already been freed.
> ---
> sys/netpfil/pf/pf.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
> index b32288b..7c3ddb8 100644
> --- a/sys/netpfil/pf/pf.c
> +++ b/sys/netpfil/pf/pf.c
> @@ -5470,6 +5470,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
> PF_STATE_UNLOCK(s);
> m0->m_flags |= M_SKIP_FIREWALL;
> ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
> + *m = NULL;
> return;
> }
It looks like there are some code paths that do a copy of original mbuf.
Are you sure this doesn't introduce mbuf leak?
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20150311/80ad0bb4/attachment.sig>
More information about the freebsd-pf
mailing list