diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-09-12 16:32:28 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-09-12 16:32:28 +0000 |
| commit | 0d89cb931da055e74f9805dd0bee96b7807dec9d (patch) | |
| tree | 06c2ad6ed72873e10fe19b05f90bd06462047e00 /sys/net | |
| parent | 35a53943deeac3a5828402a78ab44174c487d184 (diff) | |
If M_PREPEND() fails, it frees the mbuf. In this case pf_translate_af()
must reset pd->m to avoid a use after free.
OK sashan@ mikeb@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 9f3117e651a..4bfece73ca5 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.941 2015/09/11 15:21:31 mpi Exp $ */ +/* $OpenBSD: pf.c,v 1.942 2015/09/12 16:32:27 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1915,8 +1915,10 @@ pf_translate_af(struct pf_pdesc *pd) m_adj(pd->m, pd->off); /* prepend a new one */ - if ((M_PREPEND(pd->m, hlen, M_DONTWAIT)) == NULL) + if ((M_PREPEND(pd->m, hlen, M_DONTWAIT)) == NULL) { + pd->m = NULL; return (-1); + } switch (pd->naf) { case AF_INET: |