Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Apr 2026 06:32:56 +0000
From:      Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: c775ed207fcd - stable/15 - routing: Fix use-after-free in finalize_nhop
Message-ID:  <69e1d418.400b9.4b42bacb@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by pouria:

URL: https://cgit.FreeBSD.org/src/commit/?id=c775ed207fcd2036754b8f17a67cae61cf1977cd

commit c775ed207fcd2036754b8f17a67cae61cf1977cd
Author:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
AuthorDate: 2026-04-14 09:36:53 +0000
Commit:     Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
CommitDate: 2026-04-17 06:31:35 +0000

    routing: Fix use-after-free in finalize_nhop
    
    FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
    `nh->nh_priv->nh_upper_family` for failure logging.
    Call FIB_NH_LOG before freeing nh so failures are logged
    without causing a panic.
    
    MFC after: 3 days
    
    (cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0)
---
 sys/net/route/nhop_ctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c
index 0c028c7ae877..30c73188600d 100644
--- a/sys/net/route/nhop_ctl.c
+++ b/sys/net/route/nhop_ctl.c
@@ -492,17 +492,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link)
 	/* Allocate per-cpu packet counter */
 	nh->nh_pksent = counter_u64_alloc(M_NOWAIT);
 	if (nh->nh_pksent == NULL) {
+		FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed");
 		nhop_free(nh);
 		RTSTAT_INC(rts_nh_alloc_failure);
-		FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed");
 		return (ENOMEM);
 	}
 
 	if (!reference_nhop_deps(nh)) {
+		FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed");
 		counter_u64_free(nh->nh_pksent);
 		nhop_free(nh);
 		RTSTAT_INC(rts_nh_alloc_failure);
-		FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed");
 		return (EAGAIN);
 	}
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e1d418.400b9.4b42bacb>