d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

if_ovpn: fix use-after-free

Browse Source 
ovpn_encrypt_tx_cb() calls ovpn_encap() to transmit a packet, then adds
the length of the packet to the "tunnel_bytes_sent" counter.  However,
after ovpn_encap() returns 0, the mbuf chain may have been freed, so the
load of m->m_pkthdr.len may be a use-after-free.

Reported by:	markj
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost 2022-10-17 09:24:41 +02:00
parent 865f46b255
commit b136983a8a
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/net/if_ovpn.c
View File

@ -1382,6 +1382,7 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
struct ovpn_kpeer *peer = crp->crp_opaque;
struct ovpn_softc *sc = peer->sc;
struct mbuf *m = crp->crp_buf.cb_mbuf;
int tunnel_len;
int ret;
if (crp->crp_etype != 0) {
@ -1397,11 +1398,11 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF);
tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header);
ret = ovpn_encap(sc, peer->peerid, m);
if (ret == 0) {
OVPN_COUNTER_ADD(sc, sent_data_pkts, 1);
OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, m->m_pkthdr.len -
sizeof(struct ovpn_wire_header));
OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len);
}
CURVNET_RESTORE();