Date: Tue, 15 Apr 2025 12:26:50 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 283426] panic in sbappendaddr_locked() - if_ovpn related? Message-ID: <bug-283426-7501-IkptQUuPfq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-283426-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-283426-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283426 --- Comment #18 from commit-hook@FreeBSD.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D1463d5ff13164362f0825c4613dcb4eb4= 2a7396c commit 1463d5ff13164362f0825c4613dcb4eb42a7396c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-04-01 13:19:26 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-04-15 07:27:09 +0000 if_ovpn: fix use-after-free of mbuf m_unshare() can return a new mbuf pointer. We update the 'm' pointer in ovpn_udp_input(), but if we decide to pass on the packet (e.g. because = it's for an unknown peer) the caller (udp_append()) continues with the old 'm' pointer, eventually resulting in a use-after-free. Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer until we're committed to keeping the packet. PR: 283426 Test case by: takahiro.kurosawa@gmail.com MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0) sys/net/if_ovpn.c | 12 +++--- tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++= ++++ 2 files changed, 87 insertions(+), 6 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283426-7501-IkptQUuPfq>