[Bug 255859] [Patch] ipfilter/netinent: Fix a use after free in ipf_nat_rule_deref

bugzilla-noreply Fri, 14 May 2021 01:26:43 -0700

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255859


            Bug ID: 255859
           Summary: [Patch] ipfilter/netinent: Fix a use after free in
                    ipf_nat_rule_deref
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: b...@freebsd.org
          Reporter: lylg...@foxmail.com

Created attachment 224922
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224922&action=edit
correct in_tqehead index number

Bug File: contrib/ipfilter/netinet/ip_nat.c

In function ipf_nat_rule_deref, if (n->in_tqehead[0] != NULL) is true,
n->in_tqehead[1] will be freed in ipf_freetimeoutqueue() via KFREE().
But the freed pointer n->in_tqehead[1] is still used in later
ipf_deletetimeoutqueue(n->in_tqehead[1]), which is a use after free bug.

According the around code pattern, i think this bug is caused by mistyping.
My patch correct the index number of n->in_tqehead, if (n->in_tqehead[0] !=
NULL) is true.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 255859] [Patch] ipfilter/netinent: Fix a use after free in ipf_nat_rule_deref

Reply via email to