d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix NULL pointer deref in ipfw when using dummynet at layer 2.

Browse Source 
Drop packet if pkg->ifp is NULL, which is the case here.

ref. https://github.com/HardenedBSD/hardenedBSD
commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7

PR 193861 --  DUMMYNET LAYER2: kernel panic

in this case a kernel panic occurs. Hence, when we do not get an interface,
we just drop the packet in question.

PR:		193681
Submitted by:	David Carlier <david.carlier@hardenedbsd.org>
Obtained from:	Hardened BSD
MFC after:	2 weeks
Relnotes:	yes
This commit is contained in:
Sean Bruno 2014-09-25 02:26:05 +00:00
parent 32e570e701
commit 488c0a7ca8
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/netpfil/ipfw/ip_dn_io.c
View File

@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m)
/* extract the dummynet info, rename the tag
* to carry reinject info.
*/
dst = pkt->dn_dir;
ifp = pkt->ifp;
tag->m_tag_cookie = MTAG_IPFW_RULE;
tag->m_tag_id = 0;
if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) &&
pkt->ifp == NULL) {
dst = DIR_DROP;
} else {
dst = pkt->dn_dir;
ifp = pkt->ifp;
tag->m_tag_cookie = MTAG_IPFW_RULE;
tag->m_tag_id = 0;
}
}
switch (dst) {