summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2005-02-20 15:58:39 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2005-02-20 15:58:39 +0000
commit49c6e2d42da84e1c0204cfd80a45b8d0180be41a (patch)
tree6dfde4814112bd6ce00ac391147fb52f47b7a63a
parent54a150c161d2e8aa6a755dcc28bddb2b2dae8686 (diff)
Avoid use after free when purging states.
ok henning@ dhartmei@ claudio@
-rw-r--r--sys/net/if_pfsync.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 2ef3fbfbd9e..d0f56d096a7 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pfsync.c,v 1.45 2005/02/15 21:31:22 aaron Exp $ */
+/* $OpenBSD: if_pfsync.c,v 1.46 2005/02/20 15:58:38 mcbride Exp $ */
/*
* Copyright (c) 2002 Michael Shalayeff
@@ -308,6 +308,7 @@ pfsync_input(struct mbuf *m, ...)
switch (action) {
case PFSYNC_ACT_CLR: {
+ struct pf_state *nexts;
struct pfi_kif *kif;
u_int32_t creatorid;
if ((mp = m_pulldown(m, iplen + sizeof(*ph),
@@ -320,7 +321,9 @@ pfsync_input(struct mbuf *m, ...)
s = splsoftnet();
if (cp->ifname[0] == '\0') {
- RB_FOREACH(st, pf_state_tree_id, &tree_id) {
+ for (st = RB_MIN(pf_state_tree_id, &tree_id);
+ st; st = nexts) {
+ nexts = RB_NEXT(pf_state_tree_id, &tree_id, st);
if (st->creatorid == creatorid) {
st->timeout = PFTM_PURGE;
pf_purge_expired_state(st);
@@ -335,8 +338,10 @@ pfsync_input(struct mbuf *m, ...)
splx(s);
goto done;
}
- RB_FOREACH(st, pf_state_tree_lan_ext,
- &kif->pfik_lan_ext) {
+ for (st = RB_MIN(pf_state_tree_lan_ext,
+ &kif->pfik_lan_ext); st; st = nexts) {
+ nexts = RB_NEXT(pf_state_tree_lan_ext,
+ &kif->pfik_lan_ext, st);
if (st->creatorid == creatorid) {
st->timeout = PFTM_PURGE;
pf_purge_expired_state(st);