Date: Fri, 14 May 2021 08:26:38 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255859] [Patch] ipfilter/netinent: Fix a use after free in ipf_nat_rule_deref Message-ID: <bug-255859-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255859 Bug ID: 255859 Summary: [Patch] ipfilter/netinent: Fix a use after free in ipf_nat_rule_deref Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: lylgood@foxmail.com Created attachment 224922 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D224922&action= =3Dedit correct in_tqehead index number Bug File: contrib/ipfilter/netinet/ip_nat.c In function ipf_nat_rule_deref, if (n->in_tqehead[0] !=3D NULL) is true, n->in_tqehead[1] will be freed in ipf_freetimeoutqueue() via KFREE(). But the freed pointer n->in_tqehead[1] is still used in later ipf_deletetimeoutqueue(n->in_tqehead[1]), which is a use after free bug. According the around code pattern, i think this bug is caused by mistyping. My patch correct the index number of n->in_tqehead, if (n->in_tqehead[0] != =3D NULL) is true. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255859-227>