diff options
| author | kp <kp@FreeBSD.org> | 2017-03-09 03:20:20 +0000 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2017-03-10 23:09:24 -0600 |
| commit | 4e93ef50a32d2bdd75d08460cf0e53a7641d0096 (patch) | |
| tree | 8660c3290846e79684f96cc5803dc72e7097943d | |
| parent | 4b1aac0e071258b11a98f79839f504cb61d6027b (diff) | |
| download | FreeBSD-src-4e93ef50a32d2bdd75d08460cf0e53a7641d0096.zip FreeBSD-src-4e93ef50a32d2bdd75d08460cf0e53a7641d0096.tar.gz | |
MFC r314810:
pf: Fix a crash in low-memory situations
If the call to pf_state_key_clone() in pf_get_translation() fails (i.e. there's
no more memory for it) it frees skp. This is wrong, because skp is a
pf_state_key **, so we need to free *skp, as is done later in the function.
Getting it wrong means we try to free a stack variable of the calling
pf_test_rule() function, and we panic.
(cherry picked from commit 9c6c619e748c0e1da35441d443ddf41cd4c4f30d)
| -rw-r--r-- | sys/netpfil/pf/pf_lb.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 0474b95..c69fd8c 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -550,7 +550,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, return (NULL); *nkp = pf_state_key_clone(*skp); if (*nkp == NULL) { - uma_zfree(V_pf_state_key_z, skp); + uma_zfree(V_pf_state_key_z, *skp); *skp = NULL; return (NULL); } |
