From owner-svn-src-stable-7@FreeBSD.ORG Fri Jan 9 21:02:55 2009 Return-Path: Delivered-To: svn-src-stable-7@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D2BA1065672; Fri, 9 Jan 2009 21:02:55 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id EECBA8FC08; Fri, 9 Jan 2009 21:02:54 +0000 (UTC) (envelope-from mav@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n09L2sYc068795; Fri, 9 Jan 2009 21:02:54 GMT (envelope-from mav@svn.freebsd.org) Received: (from mav@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n09L2sMa068794; Fri, 9 Jan 2009 21:02:54 GMT (envelope-from mav@svn.freebsd.org) Message-Id: <200901092102.n09L2sMa068794@svn.freebsd.org> From: Alexander Motin Date: Fri, 9 Jan 2009 21:02:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r186976 - in stable/7/sys: . contrib/pf dev/ath/ath_hal dev/cxgb netgraph X-BeenThere: svn-src-stable-7@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 7-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 21:02:55 -0000 Author: mav Date: Fri Jan 9 21:02:54 2009 New Revision: 186976 URL: http://svn.freebsd.org/changeset/base/186976 Log: MFC rev. 182995 We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in ng_apply_item(). There are possible (and I have got one) use-after-free class panics because of it. If hook is specified, require it to be valid at the apply time. The only exceptions are the internal ng_con_part2(), ng_con_part3() and ng_rmhook_part2() functions which are specially made to work with invalid hooks. Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/dev/ath/ath_hal/ (props changed) stable/7/sys/dev/cxgb/ (props changed) stable/7/sys/netgraph/ng_base.c Modified: stable/7/sys/netgraph/ng_base.c ============================================================================== --- stable/7/sys/netgraph/ng_base.c Fri Jan 9 20:57:43 2009 (r186975) +++ stable/7/sys/netgraph/ng_base.c Fri Jan 9 21:02:54 2009 (r186976) @@ -2377,19 +2377,27 @@ ng_apply_item(node_p node, item_p item, case NGQF_FN: case NGQF_FN2: /* - * We have to implicitly trust the hook, - * as some of these are used for system purposes - * where the hook is invalid. In the case of - * the shutdown message we allow it to hit + * In the case of the shutdown message we allow it to hit * even if the node is invalid. */ - if ((NG_NODE_NOT_VALID(node)) - && (NGI_FN(item) != &ng_rmnode)) { + if (NG_NODE_NOT_VALID(node) && + NGI_FN(item) != &ng_rmnode) { TRAP_ERROR(); error = EINVAL; NG_FREE_ITEM(item); break; } + /* Same is about some internal functions and invalid hook. */ + if (hook && NG_HOOK_NOT_VALID(hook) && + NGI_FN2(item) != &ng_con_part2 && + NGI_FN2(item) != &ng_con_part3 && + NGI_FN(item) != &ng_rmhook_part2) { + TRAP_ERROR(); + error = EINVAL; + NG_FREE_ITEM(item); + break; + } + if ((item->el_flags & NGQF_TYPE) == NGQF_FN) { (*NGI_FN(item))(node, hook, NGI_ARG1(item), NGI_ARG2(item));