From nobody Sun Nov 30 10:30:58 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dK3GW6TStz6J7PH for ; Sun, 30 Nov 2025 10:30:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dK3GV6Hx3z3fQN for ; Sun, 30 Nov 2025 10:30:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764498658; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oNLo3FATt3yJQRUMVHjPIdRZ2UnvFEErTPJCGi7Fd3g=; b=ngfCFqQrCY9VFtBoR7RctgrMDQUe4FXlCYHbokYnarAwcyrjAzfGDq92SiGCpCDcfxV/ZY UlwFXJYmpd2PvYsyp4rayo8kT6JvRLrEpPR/tNfcLc5NipngSUKTioAti/1zjSXSIBRRYn DovD0+6EXQY/BodHXq2a1iv2/N53samgPZGJDTEkfylaFX/G82WFw561H7VLlgnL8RdsnU F7HERgceqrHi/6GIodJIKqPHOVeFzyKva1f7bHNwjae0Ebm4NRYgxgD7XuMGE0Zz6GnEu9 vXgZEOVTaWTpFBB/jXkWG8fozMJdlXc13BLSv3n74TKNTC5lHfoRHvYDUIDVWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764498658; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oNLo3FATt3yJQRUMVHjPIdRZ2UnvFEErTPJCGi7Fd3g=; b=HokooNXcQuUTWp9Z8O4eI3QFEomQy0Yk9tbiopMDuYiE+0ZAXXiCW6J9Fgdr00WF45YVQB 7sdPkbKSzDPyj221DAtxd5K+5ivDSNJjUxsK2CTbCnzwI+0eSPiWyjg7IQ4/ex84H3XyzC e4I4UJeSVKTxNLuR0Nqc/URsFZheNGyGGma12vM5IQnf6vAoxc94X+0lA0akrh5dEtl2qU Gj1L/6Syp0K3GHilSANcr1BytAgtZ3b8O1PB0BQLADI03cBWWwELoQV5DyAVUp5SsEm+bi qffeecB7IA+ZZQDo+fOrXozYf1ycTVD2IsEUclG/KYhFod1b9h34PgH+BtSiLA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1764498658; a=rsa-sha256; cv=none; b=MGxeI0C8kGoUVxXCVPcQs7Sqvpor3taV4nDrERhHgHTjDapS2qcRUbEs3YNRequRlBSnZX 7nQ9N7mVDZGozlJppkJpt73SR0UwEVPe/2gnV7NaZHM/IArfP470w/y3pCXOyra4vNCHTN th5rQ/uz/5Ntdcq3oEwnAKL87tVBfQGjy20vGHdZBrP4gZ01xoZmmXsmYDlA2l+MUuzuUF j1nqs26uyPbuCzNCEiUGUE7dTtxgQ4bFus38hhygbxWb6FLYZqHKWm65dZMV9XYZ1gxeYc 71HhqSa9DyvJFciO4Rc2JCUuqqqLkZsxl0Vv/OniDSF+P1btsi7WEgrebPEuDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dK3GV3vCpzXJZ for ; Sun, 30 Nov 2025 10:30:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 356fc by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 30 Nov 2025 10:30:58 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 81385f622037 - stable/13 - pf: handle divert packets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 81385f622037a5b78fd4f8046163367fa607d37a Auto-Submitted: auto-generated Date: Sun, 30 Nov 2025 10:30:58 +0000 Message-Id: <692c1ce2.356fc.63801cce@gitrepo.freebsd.org> The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=81385f622037a5b78fd4f8046163367fa607d37a commit 81385f622037a5b78fd4f8046163367fa607d37a Author: Kristof Provost AuthorDate: 2025-11-15 13:44:54 +0000 Commit: Kristof Provost CommitDate: 2025-11-29 20:02:00 +0000 pf: handle divert packets In a divert setup pf_test_state() may return PF_PASS, but not set the state pointer. We didn't handle that, and as a result crashed immediately afterwards trying to dereference that NULL state pointer. Add a test case to provoke the problem. PR: 260867 MFC after: 2 weeks Submitted by: Phil Budne Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 66f2f1c83247f05a3a599d7e88c7e7efbedd16b5) --- sys/netpfil/pf/pf.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 298793e6228e..16ce78560e2d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7552,11 +7552,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (V_pfsync_update_state_ptr != NULL) - V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; + if (s != NULL) { + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); + r = s->rule.ptr; + a = s->anchor.ptr; + log = s->log; + } } else if (s == NULL) { /* Validate remote SYN|ACK, re-create original SYN if * valid. */ @@ -7612,11 +7614,13 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (V_pfsync_update_state_ptr != NULL) - V_pfsync_update_state_ptr(s); - r = s->rule.ptr; - a = s->anchor.ptr; - log = s->log; + if (s != NULL) { + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); + r = s->rule.ptr; + a = s->anchor.ptr; + log = s->log; + } } else if (s == NULL) action = pf_test_rule(&r, &s, dir, kif, m, off, &pd, &a, &ruleset, inp);