Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Oct 2022 09:05:44 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: b136983a8a78 - main - if_ovpn: fix use-after-free
Message-ID:  <202210170905.29H95iSu020228@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b136983a8a786677967b532fe74ae7975deec47b

commit b136983a8a786677967b532fe74ae7975deec47b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-10-17 07:24:41 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-10-17 07:24:41 +0000

    if_ovpn: fix use-after-free
    
    ovpn_encrypt_tx_cb() calls ovpn_encap() to transmit a packet, then adds
    the length of the packet to the "tunnel_bytes_sent" counter.  However,
    after ovpn_encap() returns 0, the mbuf chain may have been freed, so the
    load of m->m_pkthdr.len may be a use-after-free.
    
    Reported by:    markj
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/if_ovpn.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 55da53ae3eb6..524640639e76 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1382,6 +1382,7 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
 	struct ovpn_kpeer *peer = crp->crp_opaque;
 	struct ovpn_softc *sc = peer->sc;
 	struct mbuf *m = crp->crp_buf.cb_mbuf;
+	int tunnel_len;
 	int ret;
 
 	if (crp->crp_etype != 0) {
@@ -1397,11 +1398,11 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
 
 	MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF);
 
+	tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header);
 	ret = ovpn_encap(sc, peer->peerid, m);
 	if (ret == 0) {
 		OVPN_COUNTER_ADD(sc, sent_data_pkts, 1);
-		OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, m->m_pkthdr.len -
-		    sizeof(struct ovpn_wire_header));
+		OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len);
 	}
 
 	CURVNET_RESTORE();

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210170905.29H95iSu020228>