svn commit: r343652 - stable/12/sys/netpfil/pf

Kristof Provost kp at FreeBSD.org
Fri Feb 1 10:04:54 UTC 2019 

Author: kp
Date: Fri Feb  1 10:04:53 2019
New Revision: 343652
URL: https://svnweb.freebsd.org/changeset/base/343652

Log:
  MFC r343418:
  
  pf: Fix use-after-free of counters
  
  When cleaning up a vnet we free the counters in V_pf_default_rule and
  V_pf_status from shutdown_pf(), but we can still use them later, for example
  through pf_purge_expired_src_nodes().
  
  Free them as the very last operation, as they rely on nothing else themselves.
  
  PR:		235097

Modified:
  stable/12/sys/netpfil/pf/pf_ioctl.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- stable/12/sys/netpfil/pf/pf_ioctl.c	Fri Feb  1 09:18:44 2019	(r343651)
+++ stable/12/sys/netpfil/pf/pf_ioctl.c	Fri Feb  1 10:04:53 2019	(r343652)
@@ -3989,20 +3989,6 @@ shutdown_pf(void)
 
 		/* status does not use malloced mem so no need to cleanup */
 		/* fingerprints and interfaces have their own cleanup code */
-
-		/* Free counters last as we updated them during shutdown. */
-		counter_u64_free(V_pf_default_rule.states_cur);
-		counter_u64_free(V_pf_default_rule.states_tot);
-		counter_u64_free(V_pf_default_rule.src_nodes);
-
-		for (int i = 0; i < PFRES_MAX; i++)
-			counter_u64_free(V_pf_status.counters[i]);
-		for (int i = 0; i < LCNT_MAX; i++)
-			counter_u64_free(V_pf_status.lcounters[i]);
-		for (int i = 0; i < FCNT_MAX; i++)
-			counter_u64_free(V_pf_status.fcounters[i]);
-		for (int i = 0; i < SCNT_MAX; i++)
-			counter_u64_free(V_pf_status.scounters[i]);
 	} while(0);
 
 	return (error);
@@ -4232,6 +4218,20 @@ pf_unload_vnet(void)
 	pf_cleanup();
 	if (IS_DEFAULT_VNET(curvnet))
 		pf_mtag_cleanup();
+
+	/* Free counters last as we updated them during shutdown. */
+	counter_u64_free(V_pf_default_rule.states_cur);
+	counter_u64_free(V_pf_default_rule.states_tot);
+	counter_u64_free(V_pf_default_rule.src_nodes);
+
+	for (int i = 0; i < PFRES_MAX; i++)
+		counter_u64_free(V_pf_status.counters[i]);
+	for (int i = 0; i < LCNT_MAX; i++)
+		counter_u64_free(V_pf_status.lcounters[i]);
+	for (int i = 0; i < FCNT_MAX; i++)
+		counter_u64_free(V_pf_status.fcounters[i]);
+	for (int i = 0; i < SCNT_MAX; i++)
+		counter_u64_free(V_pf_status.scounters[i]);
 }
 
 static void

More information about the svn-src-stable-12 mailing list