From 9a175a2dc001ccf78c7bd7bb9c43cecba154ff96 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 6 Jan 2025 21:08:04 +0100 Subject: [PATCH] pf: avoid use-after-free on reassembly Ensure we update the mbuf pointer returned by pf_normalize_ip() or pf_normalize_ip6() even if they fail. Otherwise we'd risk using a freed mbuf. PR: 283705 Reported by: Yichen Chai , Zhuo Ying Jiang Li Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5d28f4cab8d5919aba1365e885a91a96c0655b59) --- sys/netpfil/pf/pf.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index e2fb10c586a..477e3ac74c0 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8379,6 +8379,7 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, if (mtag != NULL) m_tag_delete(m, mtag); } else if (pf_normalize_ip(m0, kif, &reason, &pd) != PF_PASS) { + m = *m0; /* We do IP header normalization and packet reassembly here */ action = PF_DROP; goto done; @@ -8584,6 +8585,10 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, done: PF_RULES_RUNLOCK(); + + if (m == NULL) + goto out; + if (action == PF_PASS && h->ip_hl > 5 && !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; @@ -8927,6 +8932,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb /* We do IP header normalization and packet reassembly here */ if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) { + m = *m0; action = PF_DROP; goto done; } @@ -9196,6 +9202,9 @@ done: n = NULL; } + if (m == NULL) + goto out; + /* handle dangerous IPv6 extension headers. */ if (action == PF_PASS && rh_cnt && !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) {