https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283426
--- Comment #18 from commit-h...@freebsd.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1463d5ff13164362f0825c4613dcb4eb42a7396c commit 1463d5ff13164362f0825c4613dcb4eb42a7396c Author: Kristof Provost <k...@freebsd.org> AuthorDate: 2025-04-01 13:19:26 +0000 Commit: Kristof Provost <k...@freebsd.org> CommitDate: 2025-04-15 07:27:09 +0000 if_ovpn: fix use-after-free of mbuf m_unshare() can return a new mbuf pointer. We update the 'm' pointer in ovpn_udp_input(), but if we decide to pass on the packet (e.g. because it's for an unknown peer) the caller (udp_append()) continues with the old 'm' pointer, eventually resulting in a use-after-free. Re-order operations in ovpn_udp_input() so that we don't modify the 'm' pointer until we're committed to keeping the packet. PR: 283426 Test case by: takahiro.kuros...@gmail.com MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 04a7134c1e92c7752ffdc665f99ae26db70866c0) sys/net/if_ovpn.c | 12 +++--- tests/sys/net/if_ovpn/if_ovpn.sh | 81 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 6 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
