From owner-svn-src-projects@FreeBSD.ORG Wed Mar 7 18:18:24 2012 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F251C106566C; Wed, 7 Mar 2012 18:18:24 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E26018FC0C; Wed, 7 Mar 2012 18:18:24 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q27IIOPH004748; Wed, 7 Mar 2012 18:18:24 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q27IIODu004746; Wed, 7 Mar 2012 18:18:24 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201203071818.q27IIODu004746@svn.freebsd.org> From: Gleb Smirnoff Date: Wed, 7 Mar 2012 18:18:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r232663 - projects/pf/head/sys/contrib/pf/net X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2012 18:18:25 -0000 Author: glebius Date: Wed Mar 7 18:18:24 2012 New Revision: 232663 URL: http://svn.freebsd.org/changeset/base/232663 Log: Ugly fix for a double free possible after r232656. Modified: projects/pf/head/sys/contrib/pf/net/pf.c Modified: projects/pf/head/sys/contrib/pf/net/pf.c ============================================================================== --- projects/pf/head/sys/contrib/pf/net/pf.c Wed Mar 7 18:13:33 2012 (r232662) +++ projects/pf/head/sys/contrib/pf/net/pf.c Wed Mar 7 18:18:24 2012 (r232663) @@ -723,12 +723,9 @@ pf_state_key_attach(struct pf_state_key } } /* - * Collided key may be the same we are trying to attach, - * this happens for non-NAT states, they are attached - * twice: via PF_SK_WIRE and PF_SK_STACK tailqs. + * Collided key is later freed in pf_state_insert(). + * XXXGL: should be redesigned. */ - if (cur != sk) - uma_zfree(V_pf_state_key_z, sk); s->key[idx] = cur; } else s->key[idx] = sk; @@ -835,12 +832,19 @@ pf_state_insert(struct pfi_kif *kif, str PF_KEYS_UNLOCK(); return (-1); } + + if (s->key[PF_SK_WIRE] != skw && skw != sks) + uma_zfree(V_pf_state_key_z, skw); + if (pf_state_key_attach(sks, s, PF_SK_STACK)) { pf_state_key_detach(s, PF_SK_WIRE); PF_KEYS_UNLOCK(); return (-1); } + if (s->key[PF_SK_STACK] != sks && s->key[PF_SK_WIRE] != sks) + uma_zfree(V_pf_state_key_z, sks); + if (s->id == 0 && s->creatorid == 0) { s->id = htobe64(V_pf_status.stateid++); s->creatorid = V_pf_status.hostid;