diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2010-01-14 00:00:06 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2010-01-14 00:00:06 +0000 |
| commit | 7c83f09f650529b91aee2f7ad55bce98a39c00ad (patch) | |
| tree | 043588ff479231f3359f0c0131bd4ceeaef5ed64 /sys/net | |
| parent | 88c1df0d61ad8f034c4fec60a06b220b7cafd16a (diff) | |
in pf_create_state, when we fixed the leaks, we were a bit too trigger
happy and went to use after free instead. ryan and I think we found the
reason - just freeing that state keys in the error path is wrong as well,
since pf_state_key_setup could have found existing, identical state keys
and linked our state to these. if we now free them the other state that
hung of these state keys would point back to the freed state keys. so
instead of manually trying to free the state keys just call
pf_state_key_detach which has all the magic checks.
with and ok ryan
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index cf28dbffe18..aea5e692790 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.684 2010/01/13 23:45:14 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.685 2010/01/14 00:00:05 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3190,10 +3190,9 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, } if (pf_state_insert(BOUND_IFACE(r, kif), *skw, *sks, s)) { - if (*skw != *sks) - pool_put(&pf_state_key_pl, *skw); - pool_put(&pf_state_key_pl, *sks); - *skw = *sks = NULL; + pf_state_key_detach(s, PF_SK_STACK); + pf_state_key_detach(s, PF_SK_WIRE); + *sks = *skw = NULL; REASON_SET(&reason, PFRES_STATEINS); goto csfailed; } else |