svn commit: r317241 - in stable: 10/sys/contrib/ipfilter/netinet 11/sys/contrib/ipfilter/netinet

[Cy Schubert]

Author: cy
Date: Fri Apr 21 01:51:49 2017
New Revision: 317241
URL: https://svnweb.freebsd.org/changeset/base/317241

Log:
  MFC r316809:
  
  Fix a use after free panic in ipfilter's fragment processing.
  Memory is malloc'd, then a search for a match in the fragment table
  is made and if the fragment matches, the wrong fragment table is
  freed, causing a use after free panic. This commit fixes this.
  
  A symptom of the problem is a kernel page fault in bcopy() called by
  ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
  kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
  via ipf_slowtimer().

Modified:
  stable/11/sys/contrib/ipfilter/netinet/ip_frag.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/sys/contrib/ipfilter/netinet/ip_frag.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/sys/contrib/ipfilter/netinet/ip_frag.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_frag.c	Fri Apr 21 01:50:41 2017	(r317240)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_frag.c	Fri Apr 21 01:51:49 2017	(r317241)
@@ -474,7 +474,7 @@ ipfr_frag_new(softc, softf, fin, pass, t
 			  IPFR_CMPSZ)) {
 			RWLOCK_EXIT(lock);
 			FBUMPD(ifs_exists);
-			KFREE(fra);
+			KFREE(fran);
 			return NULL;
 		}