Date: Tue, 21 Feb 2012 20:25:28 GMT From: Arnaud Lacombe <lacombar@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/165373: Obvious use-after-free in ipfw_nat() Message-ID: <201202212025.q1LKPSno052389@red.freebsd.org> Resent-Message-ID: <201202212030.q1LKUBw0069227@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 165373
>Category: misc
>Synopsis: Obvious use-after-free in ipfw_nat()
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 21 20:30:11 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Arnaud Lacombe
>Release: 10-current
>Organization:
n/a
>Environment:
>Description:
ipfw_nat() reads the following:
mcl = m_megapullup(m, m->m_pkthdr.len);
if (mcl == NULL) {
args->m = NULL;
return (IP_FW_DENY);
}
ip = mtod(mcl, struct ip *);
[...]
if (retval == PKT_ALIAS_RESPOND)
m->m_flags |= M_SKIP_FIREWALL
It is quite obvious that `m' is no longer valid in the second conditional.
I reported this months ago on freebsd-net@ and did provide a patch to fix it, but no developers seems to actually care about such a bug.
>How-To-Repeat:
read the code.
>Fix:
s/m/mcl/
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202212025.q1LKPSno052389>