Date: Tue, 21 Apr 2026 11:32:54 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 07a3501e6c85 - main - loopback: fix use-after-free Message-ID: <69e76066.409e4.11f83ddd@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=07a3501e6c85baa4236061f8af4c2772307835f4 commit 07a3501e6c85baa4236061f8af4c2772307835f4 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-04-21 09:19:26 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-04-21 09:51:29 +0000 loopback: fix use-after-free Once we hand an mbuf over to netisr_queue() we may no longer access it. Save the length before the call so we can use it to increment counters afterwards. Fixes: 956acdce0505 ("loopback: Account for packet drops") Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_loop.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/net/if_loop.c b/sys/net/if_loop.c index 2ff265d5d1e7..33ddd3a8540e 100644 --- a/sys/net/if_loop.c +++ b/sys/net/if_loop.c @@ -276,6 +276,7 @@ int if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen) { int isr; + int32_t len; M_ASSERTPKTHDR(m); m_tag_delete_nonpersistent(m); @@ -350,9 +351,10 @@ if_simloop(struct ifnet *ifp, struct mbuf *m, int af, int hlen) m_freem(m); return (EAFNOSUPPORT); } + len = m->m_pkthdr.len; if (netisr_queue(isr, m) == 0) { if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); - if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); + if_inc_counter(ifp, IFCOUNTER_IBYTES, len); } else { /* mbuf is free'd on failure. */ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e76066.409e4.11f83ddd>