From nobody Sat Jul 12 14:31:41 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bfWHL0tfKz61wlQ; Sat, 12 Jul 2025 14:31:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bfWHL00p1z3dGR; Sat, 12 Jul 2025 14:31:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752330702; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HQCvv2QYJ0OsKmMdlIQ5MvPfdkSka+5TSxKPjnv8hYo=; b=iBIHYqPpT/4iVE7cYYJlpJwjuFGfCbUg8piqa7+llymYb2ECqHU8BBTD09BsLLlYikq6e5 MyvzMqWHenxJj/E00uqZWfkRkd8SxfD2glhkkCrFb1fS6l56RylxYPkZ7Kdqg+l34x3YeB bWOJJD19Y6lJYx96DMg+HMQXaOBWlagwunlhdXuvc65hbMd+Q98uPaE8C9QspBoR3t+mO/ //ArOhCO5rmyNsR38Uuc5IsFQchYUkrZTOma8SOmGiPYf0PVRW8vd3+D4ydiKyAEFeBvpl 2M79YoMj/mWTHt7BzqWahwgjncO1IHVy7s4MJMgYpRAGzQVsgwjWeact/CeViA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752330702; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HQCvv2QYJ0OsKmMdlIQ5MvPfdkSka+5TSxKPjnv8hYo=; b=IyN/14PDViQ3FYhCal/7rWSLXvDsYQ+MAzgYGEMCtQgYxMKu8wHi0ThlDM9PXfoRmPIcDg zOJZPSM3Murgo/no1MhnqAnLakkKbXdFG5IrMMKrmWldrLtOJleHjWP1pExwiSfqVm1wBS fLJ1pMyzXbEFNhNeVc8+DFyTKIa5r9NsZlNmgSfa1yQj6SLKLxTWjKaEqOCSnF1RPH+JcO VqXW1p+Qc3uZRI6zozBJopPUwcB5kABrOUqf9tDboNYwQ0bk2OQvxs1rEa6MpA1NCTiufG Qej5yq2lffzJY0Qf2NEdgMuPU/kCzrb8j6mdmmcY8gyt+HTBZvs4vCASWvE07w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752330702; a=rsa-sha256; cv=none; b=tonbkbeaquOJcmDS7KZvOnOhpOLL5672ITgwXDPcF40cSiSQdX7mJAYquoqzQ1YW6kav7L XAXfXYvs8B7OOi92kWl3M+Cys+co5rYUmSuciwAI4KW83HUuZ0iD0ysSSS4G5v9qHH9VET vOiVirKswpugUwp37kpqQrWjP4h0OWoRU2UjUbMjkVJTwnBOTg27HrakzGSlCaK0XyI2nu bsKHZfqbh53YyO4gBDaFaXENqm384uN5L6no1MI5Y5gGGlw/6Z3MKe6ptskhAJJ7tD8Y24 ockL29D1a4zLTMuyhVWuK9gaOJpC/0K2TtUAxrbmElgyz64bsNj2AG1JUx3qZQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bfWHK6jDfzBG1; Sat, 12 Jul 2025 14:31:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56CEVf4O094759; Sat, 12 Jul 2025 14:31:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56CEVfBi094756; Sat, 12 Jul 2025 14:31:41 GMT (envelope-from git) Date: Sat, 12 Jul 2025 14:31:41 GMT Message-Id: <202507121431.56CEVfBi094756@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kajetan Staszkiewicz Subject: git: 16a9f31b8aae - main - pf: Don't access sk and nk before they are allocated List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ks X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 16a9f31b8aae6cc16baf283183470fc17c9b488e Auto-Submitted: auto-generated The branch main has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=16a9f31b8aae6cc16baf283183470fc17c9b488e commit 16a9f31b8aae6cc16baf283183470fc17c9b488e Author: Kajetan Staszkiewicz AuthorDate: 2025-06-03 14:10:52 +0000 Commit: Kajetan Staszkiewicz CommitDate: 2025-07-12 14:27:46 +0000 pf: Don't access sk and nk before they are allocated The NAT addresses are chosen during ruleset parsing. The new afto code stores post-nat addresses in nsaddr. The old nat code (also used for new nat-to rules) creates state keys and stores addresses in them. Ensure proper way of accessing the NAT addresses in case sticky-address is used for af-to rules. Reviewed by: kp Approved by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D50768 --- sys/netpfil/pf/pf.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 41658a29014e..acdeebb85e30 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6054,9 +6054,16 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx *ctx, /* src node for translation rule */ if (ctx->nr != NULL) { KASSERT(ctx->nat_pool != NULL, ("%s: nat_pool is NULL", __func__)); + /* + * The NAT addresses are chosen during ruleset parsing. + * The new afto code stores post-nat addresses in nsaddr. + * The old nat code (also used for new nat-to rules) creates + * state keys and stores addresses in them. + */ if ((ctx->nat_pool->opts & PF_POOL_STICKYADDR) && (sn_reason = pf_insert_src_node(sns, snhs, ctx->nr, - &ctx->sk->addr[pd->sidx], pd->af, &ctx->nk->addr[1], NULL, + ctx->sk ? &(ctx->sk->addr[pd->sidx]) : pd->src, pd->af, + ctx->nk ? &(ctx->nk->addr[1]) : &(pd->nsaddr), NULL, PF_SN_NAT)) != 0 ) { REASON_SET(&ctx->reason, sn_reason); goto csfailed;