git: b136983a8a78 - main - if_ovpn: fix use-after-free
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 17 Oct 2022 09:05:44 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=b136983a8a786677967b532fe74ae7975deec47b
commit b136983a8a786677967b532fe74ae7975deec47b
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-10-17 07:24:41 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-10-17 07:24:41 +0000
if_ovpn: fix use-after-free
ovpn_encrypt_tx_cb() calls ovpn_encap() to transmit a packet, then adds
the length of the packet to the "tunnel_bytes_sent" counter. However,
after ovpn_encap() returns 0, the mbuf chain may have been freed, so the
load of m->m_pkthdr.len may be a use-after-free.
Reported by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/if_ovpn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c
index 55da53ae3eb6..524640639e76 100644
--- a/sys/net/if_ovpn.c
+++ b/sys/net/if_ovpn.c
@@ -1382,6 +1382,7 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
struct ovpn_kpeer *peer = crp->crp_opaque;
struct ovpn_softc *sc = peer->sc;
struct mbuf *m = crp->crp_buf.cb_mbuf;
+ int tunnel_len;
int ret;
if (crp->crp_etype != 0) {
@@ -1397,11 +1398,11 @@ ovpn_encrypt_tx_cb(struct cryptop *crp)
MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF);
+ tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header);
ret = ovpn_encap(sc, peer->peerid, m);
if (ret == 0) {
OVPN_COUNTER_ADD(sc, sent_data_pkts, 1);
- OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, m->m_pkthdr.len -
- sizeof(struct ovpn_wire_header));
+ OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len);
}
CURVNET_RESTORE();