Date: Wed, 25 Feb 2026 13:42:06 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: b642867c2cc7 - stable/15 - pf: avoid NULL deref on purged states Message-ID: <699efc2e.470b8.732e3c13@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b642867c2cc7e06057ba766c9847ecd200c53bd2 commit b642867c2cc7e06057ba766c9847ecd200c53bd2 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-02-18 18:23:42 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-02-25 09:13:13 +0000 pf: avoid NULL deref on purged states States can be invalidated and still be present in the state table for a while (until the pf_purge thread cleans them up). These states might not have keys set, so we must make sure a state is not purged before we try to access those keys. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit d60082f16e4c91d4b97d8b3b56b39fa348ecfbda) --- sys/netpfil/pf/pf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 882c7f4cc0dc..8b0fca69827e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1943,8 +1943,10 @@ pf_find_state(struct pf_pdesc *pd, const struct pf_state_key_cmp *key, /* Look through the other list, in case of AF-TO */ idx = idx == PF_SK_WIRE ? PF_SK_STACK : PF_SK_WIRE; TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) { - if (s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af) + if (s->timeout < PFTM_MAX && + s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af) continue; + if (s->kif == V_pfi_all || s->kif == pd->kif || s->orig_kif == pd->kif) { PF_STATE_LOCK(s);home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?699efc2e.470b8.732e3c13>