From b136983a8a786677967b532fe74ae7975deec47b Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 17 Oct 2022 09:24:41 +0200 Subject: [PATCH] if_ovpn: fix use-after-free ovpn_encrypt_tx_cb() calls ovpn_encap() to transmit a packet, then adds the length of the packet to the "tunnel_bytes_sent" counter. However, after ovpn_encap() returns 0, the mbuf chain may have been freed, so the load of m->m_pkthdr.len may be a use-after-free. Reported by: markj Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/if_ovpn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 55da53ae3eb6..524640639e76 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1382,6 +1382,7 @@ ovpn_encrypt_tx_cb(struct cryptop *crp) struct ovpn_kpeer *peer = crp->crp_opaque; struct ovpn_softc *sc = peer->sc; struct mbuf *m = crp->crp_buf.cb_mbuf; + int tunnel_len; int ret; if (crp->crp_etype != 0) { @@ -1397,11 +1398,11 @@ ovpn_encrypt_tx_cb(struct cryptop *crp) MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); + tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header); ret = ovpn_encap(sc, peer->peerid, m); if (ret == 0) { OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); - OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, m->m_pkthdr.len - - sizeof(struct ovpn_wire_header)); + OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); } CURVNET_RESTORE();