svn commit: r272089 - head/sys/netpfil/ipfw
Sean Bruno
sbruno at FreeBSD.org
Thu Sep 25 02:26:06 UTC 2014
Author: sbruno
Date: Thu Sep 25 02:26:05 2014
New Revision: 272089
URL: http://svnweb.freebsd.org/changeset/base/272089
Log:
Fix NULL pointer deref in ipfw when using dummynet at layer 2.
Drop packet if pkg->ifp is NULL, which is the case here.
ref. https://github.com/HardenedBSD/hardenedBSD
commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7
PR 193861 -- DUMMYNET LAYER2: kernel panic
in this case a kernel panic occurs. Hence, when we do not get an interface,
we just drop the packet in question.
PR: 193681
Submitted by: David Carlier <david.carlier at hardenedbsd.org>
Obtained from: Hardened BSD
MFC after: 2 weeks
Relnotes: yes
Modified:
head/sys/netpfil/ipfw/ip_dn_io.c
Modified: head/sys/netpfil/ipfw/ip_dn_io.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088)
+++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089)
@@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m)
/* extract the dummynet info, rename the tag
* to carry reinject info.
*/
- dst = pkt->dn_dir;
- ifp = pkt->ifp;
- tag->m_tag_cookie = MTAG_IPFW_RULE;
- tag->m_tag_id = 0;
+ if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) &&
+ pkt->ifp == NULL) {
+ dst = DIR_DROP;
+ } else {
+ dst = pkt->dn_dir;
+ ifp = pkt->ifp;
+ tag->m_tag_cookie = MTAG_IPFW_RULE;
+ tag->m_tag_id = 0;
+ }
}
switch (dst) {
More information about the svn-src-all
mailing list