diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2017-04-14 03:54:36 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2017-04-14 03:54:36 +0000 |
| commit | 666bd4d2532230dee4ace395edb4c1cfea06748d (patch) | |
| tree | 640bed466d2d0815e9fd9a7fc74ca0910d4f59cc /sys/contrib | |
| parent | 8d169454193ded4fbdfb245b9f09c809acab058b (diff) | |
| download | src-666bd4d2532230dee4ace395edb4c1cfea06748d.tar.gz src-666bd4d2532230dee4ace395edb4c1cfea06748d.zip | |
Fix a use after free panic in ipfilter's fragment processing.
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.
A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=316809
Diffstat (limited to 'sys/contrib')
| -rw-r--r-- | sys/contrib/ipfilter/netinet/ip_frag.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index abb37658c543..14b75e2d6a90 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, table IPFR_CMPSZ)) { RWLOCK_EXIT(lock); FBUMPD(ifs_exists); - KFREE(fra); + KFREE(fran); return NULL; } |