diff options
author | glebius <glebius@FreeBSD.org> | 2012-12-06 08:32:28 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2012-12-06 08:32:28 +0000 |
commit | d88e4529b616878be41bb69afa15a46d2429c47c (patch) | |
tree | 62719294d4a39e6f96bc33b6bd89396de3c2dffa | |
parent | 9fc690ed34bec6f3761b5d37ec332e924aaee3ec (diff) | |
download | FreeBSD-src-d88e4529b616878be41bb69afa15a46d2429c47c.zip FreeBSD-src-d88e4529b616878be41bb69afa15a46d2429c47c.tar.gz |
Close possible races between state deletion and sent being sent out
from pfsync:
- Call into pfsync_delete_state() holding the state lock.
- Set the state timeout to PFTM_UNLINKED after state has been moved
to the PFSYNC_S_DEL queue in pfsync.
Reported by: Ian FREISLICH <ianf cloudseed.co.za>
-rw-r--r-- | sys/netpfil/pf/pf.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 0825367..a86e550 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1487,8 +1487,6 @@ pf_unlink_state(struct pf_state *s, u_int flags) return (0); /* XXXGL: undefined actually */ } - s->timeout = PFTM_UNLINKED; - if (s->src.state == PF_TCPS_PROXY_DST) { /* XXX wire key the right one? */ pf_send_tcp(NULL, s->rule.ptr, s->key[PF_SK_WIRE]->af, @@ -1502,11 +1500,14 @@ pf_unlink_state(struct pf_state *s, u_int flags) LIST_REMOVE(s, entry); pf_src_tree_remove_state(s); - PF_HASHROW_UNLOCK(ih); if (pfsync_delete_state_ptr != NULL) pfsync_delete_state_ptr(s); + s->timeout = PFTM_UNLINKED; + + PF_HASHROW_UNLOCK(ih); + pf_detach_state(s); refcount_release(&s->refs); |