d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix a use after free panic in ipfilter's fragment processing.

Browse Source 
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.

A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().

MFC after:	1 week
This commit is contained in:
Cy Schubert 2017-04-14 03:54:36 +00:00
parent 8d16945419
commit 666bd4d253
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/contrib/ipfilter/netinet/ip_frag.c
View File

@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, table
IPFR_CMPSZ)) {
RWLOCK_EXIT(lock);
FBUMPD(ifs_exists);
KFREE(fra);
KFREE(fran);
return NULL;
}