diff options
author | cy <cy@FreeBSD.org> | 2017-04-21 01:51:49 +0000 |
---|---|---|
committer | cy <cy@FreeBSD.org> | 2017-04-21 01:51:49 +0000 |
commit | f997910e54b19e3bf30bd9f0d17885b0a90b15c5 (patch) | |
tree | 135bd2a879fc406c72a1522aa36fd82d0dcf662a /sys/contrib | |
parent | bf6ac4a315def7a533558327b6942d7d83b8cba2 (diff) | |
download | FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.zip FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.tar.gz |
MFC r316809:
Fix a use after free panic in ipfilter's fragment processing.
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.
A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().
Diffstat (limited to 'sys/contrib')
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_frag.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index 426353a..a49994a 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, table IPFR_CMPSZ)) { RWLOCK_EXIT(lock); FBUMPD(ifs_exists); - KFREE(fra); + KFREE(fran); return NULL; } |