git: 0ade521bac78 - stable/13 - pfsync: fix use of invalidated stack variable
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Apr 2024 07:34:35 UTC
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0ade521bac78929941081b6757e45316befd79f7 commit 0ade521bac78929941081b6757e45316befd79f7 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-03-24 08:46:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-04-01 07:33:36 +0000 pfsync: fix use of invalidated stack variable Calls to pfsync_send_plus() pass pointers to stack variables. If pfsync_sendout() then fails it retains the pointer to these stack variables, accesing them later. Allocate a buffer and copy the data instead, so that we can retain the pointer safely. Reported by: CI KASAN, markj MFC after: 1 week (cherry picked from commit 81debbd60e5773e812e9227a2003ea88699580be) --- sys/netpfil/pf/if_pfsync.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 939a4d5451a9..a08a8334683a 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -419,6 +419,9 @@ pfsync_clone_destroy(struct ifnet *ifp) MPASS(TAILQ_EMPTY(&b->b_deferrals)); PFSYNC_BUCKET_UNLOCK(b); + free(b->b_plus, M_PFSYNC); + b->b_plus = NULL; + callout_drain(&b->b_tmo); } @@ -1557,6 +1560,7 @@ pfsync_drop(struct pfsync_softc *sc) } b->b_len = PFSYNC_MINPKT; + free(b->b_plus, M_PFSYNC); b->b_plus = NULL; } } @@ -1669,6 +1673,7 @@ pfsync_sendout(int schedswi, int c) bcopy(b->b_plus, m->m_data + offset, b->b_pluslen); offset += b->b_pluslen; + free(b->b_plus, M_PFSYNC); b->b_plus = NULL; } @@ -2287,13 +2292,21 @@ pfsync_send_plus(void *plus, size_t pluslen) PFSYNC_BUCKET_LOCK(b); + MPASS(b->b_plus == NULL); + if (b->b_len + pluslen > sc->sc_ifp->if_mtu) pfsync_sendout(1, b->b_id); - b->b_plus = plus; + b->b_plus = malloc(pluslen, M_PFSYNC, M_NOWAIT); + if (b->b_plus == NULL) + goto out; + + memcpy(b->b_plus, plus, pluslen); b->b_len += (b->b_pluslen = pluslen); pfsync_sendout(1, b->b_id); + +out: PFSYNC_BUCKET_UNLOCK(b); }