HomeFreeBSD

if_ovpn: fix use-after-free of mbuf

Description

if_ovpn: fix use-after-free of mbuf

m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.

Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.

PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Details

Provenance
kpAuthored on Apr 1 2025, 1:19 PM
Parents
rG5abef29833d3: fts: Stop abusing the comma operator.
Branches
Unknown
Tags
Unknown