After finding the socket's inp by using the pf's statekey, reset

the pointer to the statekey in the mbuf.
When an UDP socket is spliced, pf would use this key during ip_output()
although the packet went through two sockets in the meantime.  Reset
the mbuf's statekey in tcp_input() and udp_input() to eliminate the
pointer to pf lingering in the socket buffers.
OK claudio@

2 files changed, 13 insertions, 2 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index c82d2e79e16..2548504386e 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.254 2013/01/17 00:48:04 henning Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.255 2013/01/17 11:43:06 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -899,6 +899,8 @@ findpcb:
 		((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp;
 		inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
 	}
+	/* The statekey has finished finding the inp, it is no longer needed. */
+	m->m_pkthdr.pf.statekey = NULL;
 #endif
 
 #ifdef IPSEC
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 82f0eef86c9..1a869c94310 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.151 2012/09/28 16:06:20 markus Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.152 2013/01/17 11:43:06 bluhm Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -620,6 +620,15 @@ udp_input(struct mbuf *m, ...)
 		}
 	}
 
+#if NPF > 0
+	/*
+	 * The statekey has finished finding the inp, it is no longer needed.
+	 * If UDP socket splicing is used, the statekey will confuse pf when
+	 * the same packet goes through ip_output().  So reset the statekey.
+	 */
+	m->m_pkthdr.pf.statekey = NULL;
+#endif
+
 #ifdef IPSEC
 	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
 	s = splnet();