upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: fix sctp deadlock

Browse source 
It is possible for pf_test_state_sctp() to find a state and still return
PF_DROP (or not PF_PASS, to be exact). In that case we would run pf_test_rule()
unconditionally, but this would overwrite the (locked!) state pointer
pf_test_state_sctp() gave us. As a result we will later deadlock, trying the
lock the already locked state.

Do what we do for UDP and TCP, and explicitly check s for NULL before we run
pf_test_rule().

MFC after:	1 week
Sponsored by:	Orange Business Services

(cherry picked from commit a9639adaedb4d67340c4ae386fe8fcd18e4a8a21)
This commit is contained in:
Kristof Provost 2024-07-09 20:49:49 +02:00 committed by Franco Fichtner
parent c7d09f16cc
commit 9085232872
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
sys/netpfil/pf/pf.c
View file

@ -8206,7 +8206,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
V_pfsync_update_state_ptr(s);
r = s->rule.ptr;
a = s->anchor.ptr;
} else {
} else if (s == NULL) {
action = pf_test_rule(&r, &s, kif, m, off,
&pd, &a, &ruleset, inp);
}
@ -8815,7 +8815,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
V_pfsync_update_state_ptr(s);
r = s->rule.ptr;
a = s->anchor.ptr;
} else {
} else if (s == NULL) {
action = pf_test_rule(&r, &s, kif, m, off,
&pd, &a, &ruleset, inp);
}