We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in

ng_apply_item(). There are possible (and I have got one) use-after-free class panics because of it. If hook is specified, require it to be valid at the apply time. The only exceptions are the internal ng_con_part2(), ng_con_part3() and ng_rmhook_part2() functions which are specially made to work with invalid hooks.
svn path=/head/; revision=182995
2008-09-13 09:17:02 +00:00 · 2008-09-13 09:17:02 +00:00 · 74c9119d4a · 2020-12-20 02:59:44 +00:00
commit 74c9119d4a
parent d56bc17bce
1 changed files with 14 additions and 6 deletions
--- a/sys/netgraph/ng_base.c
+++ b/sys/netgraph/ng_base.c
@ -2365,19 +2365,27 @@ ng_apply_item(node_p node, item_p item, int rw)
 	case NGQF_FN:
 	case NGQF_FN2:
 		/*
-		 *  We have to implicitly trust the hook,
-		 * as some of these are used for system purposes
-		 * where the hook is invalid. In the case of
-		 * the shutdown message we allow it to hit
+		 * In the case of the shutdown message we allow it to hit
 		 * even if the node is invalid.
 		 */
-		if ((NG_NODE_NOT_VALID(node))
-		&& (NGI_FN(item) != &ng_rmnode)) {
+		if (NG_NODE_NOT_VALID(node) &&
+		    NGI_FN(item) != &ng_rmnode) {
 			TRAP_ERROR();
 			error = EINVAL;
 			NG_FREE_ITEM(item);
 			break;
 		}
+		/* Same is about some internal functions and invalid hook. */
+		if (hook && NG_HOOK_NOT_VALID(hook) &&
+		    NGI_FN2(item) != &ng_con_part2 &&
+		    NGI_FN2(item) != &ng_con_part3 &&
+		    NGI_FN(item) != &ng_rmhook_part2) {
+			TRAP_ERROR();
+			error = EINVAL;
+			NG_FREE_ITEM(item);
+			break;
+		}
+		
 		if ((item->el_flags & NGQF_TYPE) == NGQF_FN) {
 			(*NGI_FN(item))(node, hook, NGI_ARG1(item),
 			    NGI_ARG2(item));