Give pf_normalize_ip() the same 3 way semantics as pf_test().

- PF_DROP, the packet is bad, the mbuf still exists and must be freed.
- PF_PASS and *m0 is NULL, the packet has been processed, not an error.
- PF_PASS and *m0 is not NULL, continue with packet processing.
This fixes a potential mbuf use after free.
ok henning@ markus@ mpf@

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 3010ecb2748..f9e1b8087ca 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.720 2011/01/11 13:35:58 mcbride Exp $ */
+/*	$OpenBSD: pf.c,v 1.721 2011/01/19 11:39:56 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -5852,6 +5852,8 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0,
 		goto done;
 	}
 	m = *m0;	/* pf_normalize messes with m0 */
+	if (m == NULL)
+		return (PF_PASS);
 	h = mtod(m, struct ip *);
 
 	if (pf_setup_pdesc(AF_INET, dir, &pd, m, &action, &reason, kif, &a, &r,
@@ -6117,6 +6119,8 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0,
 		goto done;
 	}
 	m = *m0;	/* pf_normalize messes with m0 */
+	if (m == NULL)
+		return (PF_PASS);
 	h = mtod(m, struct ip6_hdr *);
 
 #if 1