From e56cf8c4d25f5cfd3a23aa89cb80d72aea7fda37 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Thu, 22 Nov 2007 02:01:47 +0000 Subject: pf_src_tree_remove_state() is called upon pf_insert_state() failures. but pf_insert_state does fiddle with the state's state_key pointer - it has too -, and can leave it at NULL. pf_src_tree_remove_state() tried to grab the protocol from it. fortunately that is superfluous here, since tcp_est will never be set in the non-tcp case - it is only touched in pf_src_connlimit which in turn is only ever called from pf_test_tcp(). ok mcbride + identical diff from pascoe, but he was a few minutes late :) --- sys/net/pf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'sys/net/pf.c') diff --git a/sys/net/pf.c b/sys/net/pf.c index 1ed5c76320e..915ea6e1cd5 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.564 2007/11/18 21:53:47 deraadt Exp $ */ +/* $OpenBSD: pf.c,v 1.565 2007/11/22 02:01:46 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -816,6 +816,8 @@ pf_insert_state(struct pfi_kif *kif, struct pf_state *s) TAILQ_FOREACH(sp, &cur->states, next) if (sp->kif == kif) { /* collision! */ pf_stateins_err("tree_lan_ext", s, kif); + pf_detach_state(s, + PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY); return (-1); } pf_detach_state(s, PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY); @@ -958,10 +960,8 @@ pf_src_tree_remove_state(struct pf_state *s) u_int32_t timeout; if (s->src_node != NULL) { - if (s->state_key->proto == IPPROTO_TCP) { - if (s->src.tcp_est) - --s->src_node->conn; - } + if (s->src.tcp_est) + --s->src_node->conn; if (--s->src_node->states <= 0) { timeout = s->rule.ptr->timeout[PFTM_SRC_NODE]; if (!timeout) -- cgit v1.2.3