From 96808d4a7061fd75074f45cf9d306478e47bf92d Mon Sep 17 00:00:00 2001
From: Mike Frantzen <frantzen@cvs.openbsd.org>
Date: Wed, 14 May 2003 01:39:52 +0000
Subject: fix use after free race when purging the new PF tags ok henning@

---
 sys/net/pf_ioctl.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'sys/net')

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 6ddee7d769d..d0fe22b00db 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.64 2003/05/13 17:45:24 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.65 2003/05/14 01:39:51 frantzen Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -469,15 +469,17 @@ pf_tag_unref(u_int16_t tag)
 void
 pf_tag_purge(void)
 {
-	struct pf_tagname	*p;
+	struct pf_tagname	*p, *next;
 
-	TAILQ_FOREACH_REVERSE(p, &pf_tags, entries, pf_tagnames)
+	for (p = TAILQ_LAST(&pf_tags, pf_tags); p != NULL; p = next) {
+		next = TAILQ_PREV(p, pf_tags, entries);
 		if (p->ref == 0) {
 			if (p->tag == tagid)
 				tagid--;
 			TAILQ_REMOVE(&pf_tags, p, entries);
 			free(p, M_TEMP);
 		}
+	}
 }
 
 int
-- 
cgit v1.2.3