Date: Sun, 30 Nov 2025 10:30:58 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 81385f622037 - stable/13 - pf: handle divert packets Message-ID: <692c1ce2.356fc.63801cce@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=81385f622037a5b78fd4f8046163367fa607d37a commit 81385f622037a5b78fd4f8046163367fa607d37a Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-11-15 13:44:54 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-11-29 20:02:00 +0000 pf: handle divert packets In a divert setup pf_test_state() may return PF_PASS, but not set the state pointer. We didn't handle that, and as a result crashed immediately afterwards trying to dereference that NULL state pointer. Add a test case to provoke the problem. PR: 260867 MFC after: 2 weeks Submitted by: Phil Budne <phil.budne@gmail.com> Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 66f2f1c83247f05a3a599d7e88c7e7efbedd16b5) --- sys/netpfil/pf/pf.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 298793e6228e..16ce78560e2d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7552,11 +7552,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (V_pfsync_update_state_ptr != NULL) - V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; + if (s != NULL) { + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); + r = s->rule.ptr; + a = s->anchor.ptr; + log = s->log; + } } else if (s == NULL) { /* Validate remote SYN|ACK, re-create original SYN if * valid. */ @@ -7612,11 +7614,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (V_pfsync_update_state_ptr != NULL) - V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; + if (s != NULL) { + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); + r = s->rule.ptr; + a = s->anchor.ptr; + log = s->log; + } } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, &pd, &a, &ruleset, inp);help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?692c1ce2.356fc.63801cce>