pf: Fix a crash in low-memory situations

If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's no more memory for it) it frees skp. This is wrong, because skp is a pf_state_key **, so we need to free *skp, as is done later in the function. Getting it wrong means we try to free a stack variable of the calling pf_test_rule() function, and we panic.
2017-03-06 23:41:23 +00:00 · 2017-03-06 23:41:23 +00:00 · 98a9874f7b
commit 98a9874f7b
parent 6d4f05fd11
1 changed files with 1 additions and 1 deletions
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@ -553,7 +553,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
 		return (NULL);
 	*nkp = pf_state_key_clone(*skp);
 	if (*nkp == NULL) {
-		uma_zfree(V_pf_state_key_z, skp);
+		uma_zfree(V_pf_state_key_z, *skp);
 		*skp = NULL;
 		return (NULL);
 	}