upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: avoid use-after-free on reassembly

Browse source 
Ensure we update the mbuf pointer returned by pf_normalize_ip() or
pf_normalize_ip6() even if they fail.
Otherwise we'd risk using a freed mbuf.

PR:             283705
Reported by:    Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 5d28f4cab8d5919aba1365e885a91a96c0655b59)
This commit is contained in:
Kristof Provost 2025-01-06 21:08:04 +01:00
parent 23b2704059
commit 980eedb0ca
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sys/netpfil/pf/pf.c
View file

@ -8424,6 +8424,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
if (mtag != NULL)
m_tag_delete(m, mtag);
} else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) {
m = *m0;
/* We do IP header normalization and packet reassembly here */
action = PF_DROP;
goto done;
@ -8629,6 +8630,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
done:
PF_RULES_RUNLOCK();
if (m == NULL)
goto out;
if (action == PF_PASS && h->ip_hl > 5 &&
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
action = PF_DROP;
@ -8968,6 +8973,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
/* We do IP header normalization and packet reassembly here */
if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
m = *m0;
action = PF_DROP;
goto done;
}
@ -9237,6 +9243,9 @@ done:
n = NULL;
}
if (m == NULL)
goto out;
/* handle dangerous IPv6 extension headers. */
if (action == PF_PASS && rh_cnt &&
!((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {