Date: Fri, 14 May 2021 08:29:20 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255859] [Patch] ipfilter/netinent: Fix a use after free in ipf_nat_rule_deref Message-ID: <bug-255859-227-upIl0jUw3K@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-255859-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255859 --- Comment #1 from lylgood@foxmail.com --- Comment on attachment 224922 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224922 correct in_tqehead index number >diff --git a/contrib/ipfilter/netinet/ip_nat.c b/contrib/ipfilter/netinet/ip_nat.c.orig >index 0475a4386079..41e51880b3dd 100644 >--- a/contrib/ipfilter/netinet/ip_nat.c >+++ b/contrib/ipfilter/netinet/ip_nat.c.orig >@@ -6245,7 +6245,7 @@ ipf_nat_rule_deref(softc, inp) > > if (n->in_tqehead[0] != NULL) { > if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) { >+ ipf_freetimeoutqueue(softc, n->in_tqehead[0]); >- ipf_freetimeoutqueue(softc, n->in_tqehead[1]); > } > } > -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255859-227-upIl0jUw3K>