Date: Mon, 25 Mar 2024 04:44:50 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a1ecbc570117 - main - pf: fix use-after-free Message-ID: <202403250444.42P4iooM049740@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a1ecbc57011758257b85c3e9f51efc93ac93169d commit a1ecbc57011758257b85c3e9f51efc93ac93169d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-03-23 16:02:50 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-03-25 04:44:23 +0000 pf: fix use-after-free If we fragment the packet in pf_route() the first transmitted packet will free the pf_mtag we have stored in pf_pdesc (pd). Ensure we update that pointer for every packet to avoid using a freed pointer in pf_dummynet_route(). Reported by: CI KASAN, markj MFC after: 1 week --- sys/netpfil/pf/pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index d7536e44623e..50dc67b72439 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7450,6 +7450,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, if (error == 0) { m_clrprotoflags(m0); md = m0; + pd->pf_mtag = pf_find_mtag(md); error = pf_dummynet_route(pd, s, r, ifp, sintosa(&dst), &md); if (md != NULL)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202403250444.42P4iooM049740>