Module Name: src
Committed By: christos
Date: Fri Feb 3 19:01:08 UTC 2023
Modified Files:
src/sys/external/bsd/ipf/netinet: fil.c
Log Message:
Fix use after free on packet with broken lengths
Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
>From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/sys/external/bsd/ipf/netinet/fil.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
