summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2010-01-14 00:00:06 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2010-01-14 00:00:06 +0000
commit7c83f09f650529b91aee2f7ad55bce98a39c00ad (patch)
tree043588ff479231f3359f0c0131bd4ceeaef5ed64
parent88c1df0d61ad8f034c4fec60a06b220b7cafd16a (diff)
in pf_create_state, when we fixed the leaks, we were a bit too trigger
happy and went to use after free instead. ryan and I think we found the reason - just freeing that state keys in the error path is wrong as well, since pf_state_key_setup could have found existing, identical state keys and linked our state to these. if we now free them the other state that hung of these state keys would point back to the freed state keys. so instead of manually trying to free the state keys just call pf_state_key_detach which has all the magic checks. with and ok ryan
-rw-r--r--sys/net/pf.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index cf28dbffe18..aea5e692790 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.684 2010/01/13 23:45:14 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.685 2010/01/14 00:00:05 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -3190,10 +3190,9 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd,
}
if (pf_state_insert(BOUND_IFACE(r, kif), *skw, *sks, s)) {
- if (*skw != *sks)
- pool_put(&pf_state_key_pl, *skw);
- pool_put(&pf_state_key_pl, *sks);
- *skw = *sks = NULL;
+ pf_state_key_detach(s, PF_SK_STACK);
+ pf_state_key_detach(s, PF_SK_WIRE);
+ *sks = *skw = NULL;
REASON_SET(&reason, PFRES_STATEINS);
goto csfailed;
} else