Author: sbruno Date: Thu Sep 25 02:26:05 2014 New Revision: 272089 URL: http://svnweb.freebsd.org/changeset/base/272089
Log: Fix NULL pointer deref in ipfw when using dummynet at layer 2. Drop packet if pkg->ifp is NULL, which is the case here. ref. https://github.com/HardenedBSD/hardenedBSD commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 PR 193861 -- DUMMYNET LAYER2: kernel panic in this case a kernel panic occurs. Hence, when we do not get an interface, we just drop the packet in question. PR: 193681 Submitted by: David Carlier <david.carl...@hardenedbsd.org> Obtained from: Hardened BSD MFC after: 2 weeks Relnotes: yes Modified: head/sys/netpfil/ipfw/ip_dn_io.c Modified: head/sys/netpfil/ipfw/ip_dn_io.c ============================================================================== --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) /* extract the dummynet info, rename the tag * to carry reinject info. */ - dst = pkt->dn_dir; - ifp = pkt->ifp; - tag->m_tag_cookie = MTAG_IPFW_RULE; - tag->m_tag_id = 0; + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && + pkt->ifp == NULL) { + dst = DIR_DROP; + } else { + dst = pkt->dn_dir; + ifp = pkt->ifp; + tag->m_tag_cookie = MTAG_IPFW_RULE; + tag->m_tag_id = 0; + } } switch (dst) { _______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
