git: 980eedb0cad6 - stable/14 - pf: avoid use-after-free on reassembly

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Mon, 20 Jan 2025 16:27:52 UTC
The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=980eedb0cad684c1e4a64d063df2ee7d28fa693d

commit 980eedb0cad684c1e4a64d063df2ee7d28fa693d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-06 20:08:04 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-01-20 16:26:49 +0000

    pf: avoid use-after-free on reassembly
    
    Ensure we update the mbuf pointer returned by pf_normalize_ip() or
    pf_normalize_ip6() even if they fail.
    Otherwise we'd risk using a freed mbuf.
    
    PR:             283705
    Reported by:    Yichen Chai <yichen.chai@gmail.com>, Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 5d28f4cab8d5919aba1365e885a91a96c0655b59)
---
 sys/netpfil/pf/pf.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 18b907c45d38..31c3dd8009de 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8424,6 +8424,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
 		if (mtag != NULL)
 			m_tag_delete(m, mtag);
 	} else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) {
+		m = *m0;
 		/* We do IP header normalization and packet reassembly here */
 		action = PF_DROP;
 		goto done;
@@ -8629,6 +8630,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0,
 
 done:
 	PF_RULES_RUNLOCK();
+
+	if (m == NULL)
+		goto out;
+
 	if (action == PF_PASS && h->ip_hl > 5 &&
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {
 		action = PF_DROP;
@@ -8968,6 +8973,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb
 
 	/* We do IP header normalization and packet reassembly here */
 	if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
+		m = *m0;
 		action = PF_DROP;
 		goto done;
 	}
@@ -9237,6 +9243,9 @@ done:
 		n = NULL;
 	}
 
+	if (m == NULL)
+		goto out;
+
 	/* handle dangerous IPv6 extension headers. */
 	if (action == PF_PASS && rh_cnt &&
 	    !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {