MFC r316809:

Fix a use after free panic in ipfilter's fragment processing. Memory is malloc'd, then a search for a match in the fragment table is made and if the fragment matches, the wrong fragment table is freed, causing a use after free panic. This commit fixes this. A symptom of the problem is a kernel page fault in bcopy() called by ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a kernel page fault in ipf_frag_delete() when called by ipf_frag_expire() via ipf_slowtimer().
author: cy <cy@FreeBSD.org> 2017-04-21 01:51:49 +0000
committer: cy <cy@FreeBSD.org> 2017-04-21 01:51:49 +0000
commit: f997910e54b19e3bf30bd9f0d17885b0a90b15c5 (patch)
tree: 135bd2a879fc406c72a1522aa36fd82d0dcf662a /sys/contrib
parent: bf6ac4a315def7a533558327b6942d7d83b8cba2 (diff)
download: FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.zip
FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c
index 426353a..a49994a 100644
--- a/sys/contrib/ipfilter/netinet/ip_frag.c
+++ b/sys/contrib/ipfilter/netinet/ip_frag.c
@@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, table
 			  IPFR_CMPSZ)) {
 			RWLOCK_EXIT(lock);
 			FBUMPD(ifs_exists);
-			KFREE(fra);
+			KFREE(fran);
 			return NULL;
 		}
author	cy <cy@FreeBSD.org>	2017-04-21 01:51:49 +0000
committer	cy <cy@FreeBSD.org>	2017-04-21 01:51:49 +0000
commit	f997910e54b19e3bf30bd9f0d17885b0a90b15c5 (patch)
tree	135bd2a879fc406c72a1522aa36fd82d0dcf662a /sys/contrib
parent	bf6ac4a315def7a533558327b6942d7d83b8cba2 (diff)
download	FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.zip FreeBSD-src-f997910e54b19e3bf30bd9f0d17885b0a90b15c5.tar.gz