From 74c9119d4a985d841285abd262c5f3d06e7c5e18 Mon Sep 17 00:00:00 2001 From: Alexander Motin Date: Sat, 13 Sep 2008 09:17:02 +0000 Subject: [PATCH] We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in ng_apply_item(). There are possible (and I have got one) use-after-free class panics because of it. If hook is specified, require it to be valid at the apply time. The only exceptions are the internal ng_con_part2(), ng_con_part3() and ng_rmhook_part2() functions which are specially made to work with invalid hooks. --- sys/netgraph/ng_base.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/sys/netgraph/ng_base.c b/sys/netgraph/ng_base.c index b41d57da1f9..4012e358cce 100644 --- a/sys/netgraph/ng_base.c +++ b/sys/netgraph/ng_base.c @@ -2365,19 +2365,27 @@ ng_apply_item(node_p node, item_p item, int rw) case NGQF_FN: case NGQF_FN2: /* - * We have to implicitly trust the hook, - * as some of these are used for system purposes - * where the hook is invalid. In the case of - * the shutdown message we allow it to hit + * In the case of the shutdown message we allow it to hit * even if the node is invalid. */ - if ((NG_NODE_NOT_VALID(node)) - && (NGI_FN(item) != &ng_rmnode)) { + if (NG_NODE_NOT_VALID(node) && + NGI_FN(item) != &ng_rmnode) { TRAP_ERROR(); error = EINVAL; NG_FREE_ITEM(item); break; } + /* Same is about some internal functions and invalid hook. */ + if (hook && NG_HOOK_NOT_VALID(hook) && + NGI_FN2(item) != &ng_con_part2 && + NGI_FN2(item) != &ng_con_part3 && + NGI_FN(item) != &ng_rmhook_part2) { + TRAP_ERROR(); + error = EINVAL; + NG_FREE_ITEM(item); + break; + } + if ((item->el_flags & NGQF_TYPE) == NGQF_FN) { (*NGI_FN(item))(node, hook, NGI_ARG1(item), NGI_ARG2(item));