reset all the pfsync packet state before calling ip_output in

pfsync_sendout. more specifically, move the reset of sc->sc_len to
PFSYNC_MINPKT above ip_output.

this prevents a situation where ipsec via ip_output calls
pfsync_update_tdb for syncing the ipsec flow to a peer, which
accounts for the tdb in the next pfsync packet, before unwinding
back to pfsync_output which resets the accounting we just did.

the next pfsync packet to be sent out will be allocated with a short
length because sc_len is wrong, and the long lists of things (eg,
the tdb) can overwrite memory after the mbuf. this manifests as
incorrect poisoning or xsimpleq entry corruption in mbufs still in
a pool, or random corruption of m->m_next on other mbufs in the
system.

bug found, fix tested, and ok stsp@

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 79f3e398c8c..5ac75c5eb0f 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.209 2014/09/08 06:24:13 jsg Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.210 2014/10/17 00:47:48 dlg Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -1678,6 +1678,9 @@ pfsync_sendout(void)
 	}
 #endif
 
+	/* start again */
+	sc->sc_len = PFSYNC_MINPKT;
+
 	sc->sc_if.if_opackets++;
 	sc->sc_if.if_obytes += m->m_pkthdr.len;
 
@@ -1687,9 +1690,6 @@ pfsync_sendout(void)
 		pfsyncstats.pfsyncs_opackets++;
 	else
 		pfsyncstats.pfsyncs_oerrors++;
-
-	/* start again */
-	sc->sc_len = PFSYNC_MINPKT;
 }
 
 void