The branch stable/14 has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=980eedb0cad684c1e4a64d063df2ee7d28fa693d

commit 980eedb0cad684c1e4a64d063df2ee7d28fa693d
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-01-06 20:08:04 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-01-20 16:26:49 +0000

    pf: avoid use-after-free on reassembly
    
    Ensure we update the mbuf pointer returned by pf_normalize_ip() or
    pf_normalize_ip6() even if they fail.
    Otherwise we'd risk using a freed mbuf.
    
    PR:             283705
    Reported by:    Yichen Chai <yichen.c...@gmail.com>, Zhuo Ying Jiang Li 
<zy...@cl.cam.ac.uk>
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 5d28f4cab8d5919aba1365e885a91a96c0655b59)
---
 sys/netpfil/pf/pf.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 18b907c45d38..31c3dd8009de 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8424,6 +8424,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct 
mbuf **m0,
                if (mtag != NULL)
                        m_tag_delete(m, mtag);
        } else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) {
+               m = *m0;
                /* We do IP header normalization and packet reassembly here */
                action = PF_DROP;
                goto done;
@@ -8629,6 +8630,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct 
mbuf **m0,
 
 done:
        PF_RULES_RUNLOCK();
+
+       if (m == NULL)
+               goto out;
+
        if (action == PF_PASS && h->ip_hl > 5 &&
            !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
                action = PF_DROP;
@@ -8968,6 +8973,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct 
mbuf **m0, struct inpcb
 
        /* We do IP header normalization and packet reassembly here */
        if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
+               m = *m0;
                action = PF_DROP;
                goto done;
        }
@@ -9237,6 +9243,9 @@ done:
                n = NULL;
        }
 
+       if (m == NULL)
+               goto out;
+
        /* handle dangerous IPv6 extension headers. */
        if (action == PF_PASS && rh_cnt &&
            !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {

Reply via email to