From 7c83f09f650529b91aee2f7ad55bce98a39c00ad Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Thu, 14 Jan 2010 00:00:06 +0000 Subject: in pf_create_state, when we fixed the leaks, we were a bit too trigger happy and went to use after free instead. ryan and I think we found the reason - just freeing that state keys in the error path is wrong as well, since pf_state_key_setup could have found existing, identical state keys and linked our state to these. if we now free them the other state that hung of these state keys would point back to the freed state keys. so instead of manually trying to free the state keys just call pf_state_key_detach which has all the magic checks. with and ok ryan --- sys/net/pf.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/sys/net/pf.c b/sys/net/pf.c index cf28dbffe18..aea5e692790 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.684 2010/01/13 23:45:14 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.685 2010/01/14 00:00:05 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3190,10 +3190,9 @@ pf_create_state(struct pf_rule *r, struct pf_rule *a, struct pf_pdesc *pd, } if (pf_state_insert(BOUND_IFACE(r, kif), *skw, *sks, s)) { - if (*skw != *sks) - pool_put(&pf_state_key_pl, *skw); - pool_put(&pf_state_key_pl, *sks); - *skw = *sks = NULL; + pf_state_key_detach(s, PF_SK_STACK); + pf_state_key_detach(s, PF_SK_WIRE); + *sks = *skw = NULL; REASON_SET(&reason, PFRES_STATEINS); goto csfailed; } else -- cgit v1.2.3