HomeFreeBSD
Diffusion FreeBSD src repository 1463d5ff1316

if_ovpn: fix use-after-free of mbuf
1463d5ff1316
Actions

Description

if_ovpn: fix use-after-free of mbuf

m_unshare() can return a new mbuf pointer. We update the 'm' pointer in
ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for
an unknown peer) the caller (udp_append()) continues with the old 'm' pointer,
eventually resulting in a use-after-free.

Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer
until we're committed to keeping the packet.

PR: 283426
Test case by: takahiro.kurosawa@gmail.com
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0)

Details

Provenance
kpAuthored on Tue, Apr 1, 1:19 PM
Parents
rG74a0b8908483: ptrace: Do not pass a negative resid to proc_rwmem()
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
net/
tests/
sys/
net/
if_ovpn/

rG1463d5ff1316

View Options

sys/net/if_ovpn.c

Loading...
View Options

tests/sys/net/if_ovpn/if_ovpn.sh

Loading...