diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-10-23 22:00:52 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-10-23 22:00:52 +0000 |
| commit | a2989f90d80d4f9abde4d42c82d630096bd3d12a (patch) | |
| tree | 81ae57298bce4846ff5b1f1d265a3ac71d908048 /sys/netinet | |
| parent | caa30a9471ce02f7a69d48c68a1732f5de534bcd (diff) | |
Fix use-after-free in ipcomp_output() introduced by previous commit.
Retrieve ilen and olen from crypto descriptors before freeing them.
Found by regress/sys/netinet/ipsec.
OK mpi@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index 1854df89a5d..4a2a52f42af 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.80 2021/10/23 15:42:35 tobhe Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.81 2021/10/23 22:00:51 bluhm Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -526,7 +526,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Release the crypto descriptors */ crypto_freereq(crp); - error = ipcomp_output_cb(tdb, tc, m, crp->crp_ilen, crp->crp_olen); + error = ipcomp_output_cb(tdb, tc, m, ilen, olen); if (error) { ipsecstat_inc(ipsec_odrops); tdb->tdb_odrops++; |