Date: Thu, 02 Feb 2023 17:42:34 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 266442] kernel page fault on packet with broken lengths if ipfilter is loaded Message-ID: <bug-266442-7501-1jJpxKBOhV@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-266442-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-266442-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266442 --- Comment #6 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D79f7745c098a766d34a4e072cdd1a06e6= d0829d5 commit 79f7745c098a766d34a4e072cdd1a06e6d0829d5 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-02-02 00:49:08 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-02-02 17:41:22 +0000 ipfilter: Fix use after free on packet with broken lengths Under the scenario with a packet with length of 67 bytes, a header leng= th using the default of 20 bytes and a TCP data offset (th_off) of 48 will cause m_pullup() to fail to make sure bytes are arragned contiguously. m_pullup() will free the mbuf chain and return a null. ipfilter stores the resultant mbuf address (or the resulting NULL) in its fr_info_t structure. Unfortuntely the eroneous packet is not flagged for drop. This results in a kernel page fault at line 410 of sys/netinet/ip_fastf= wd.c as it tries to use a now previously freed, by m_pullup(), mbuf. PR: 266442 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week sys/netpfil/ipfilter/netinet/fil.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-266442-7501-1jJpxKBOhV>