Fix a race: we should update sc_len before dropping the pf lock, otherwise a

number of packets can be queued on sc, while we are in ip_output(), and then we wipe the accumulated sc_len. On next pfsync_sendout() that would lead to writing beyond our mbuf cluster.
2011-10-21 22:28:15 +00:00 · 2011-10-21 22:28:15 +00:00 · 8dc59178a8
commit 8dc59178a8
parent 72b880fa83
1 changed files with 1 additions and 3 deletions
--- a/sys/contrib/pf/net/if_pfsync.c
+++ b/sys/contrib/pf/net/if_pfsync.c
@ -2354,6 +2354,7 @@ pfsync_sendout(void)
 	sc->sc_if.if_obytes += m->m_pkthdr.len;
 #endif

+	sc->sc_len = PFSYNC_MINPKT;
 #ifdef __FreeBSD__
 	PF_UNLOCK();
 #endif
@ -2375,9 +2376,6 @@ pfsync_sendout(void)
 #ifdef __FreeBSD__
 	}
 #endif
-
-	/* start again */
-	sc->sc_len = PFSYNC_MINPKT;
 }

 void