avoid a use after free in if_delgroup.

if_detach passes the groupname from an ifg_list struct to if_delgroup,
if_delgroup then uses the name to find the same ifg_list struct so
it can free it, and then passes the name from the struct to
pfi_group_change(). at worst this can cause a fault if malloc(9)
actually unmaps the page the struct was on, and at best it causes
pf interfaces with garbage names to be created.

ok sashan@ bluhm@

1 files changed, 5 insertions, 5 deletions

diff --git a/sys/net/if.c b/sys/net/if.c
index 6732e2a0596..b531d66a374 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if.c,v 1.598 2019/11/13 21:25:04 bluhm Exp $	*/
+/*	$OpenBSD: if.c,v 1.599 2019/11/14 01:02:02 dlg Exp $	*/
 /*	$NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $	*/
 
 /*
@@ -2774,6 +2774,10 @@ if_delgroup(struct ifnet *ifp, const char *groupname)
 		free(ifgm, M_TEMP, sizeof(*ifgm));
 	}
 
+#if NPF > 0
+	pfi_group_change(groupname);
+#endif
+
 	if (--ifgl->ifgl_group->ifg_refcnt == 0) {
 		TAILQ_REMOVE(&ifg_head, ifgl->ifgl_group, ifg_next);
 #if NPF > 0
@@ -2784,10 +2788,6 @@ if_delgroup(struct ifnet *ifp, const char *groupname)
 
 	free(ifgl, M_TEMP, sizeof(*ifgl));
 
-#if NPF > 0
-	pfi_group_change(groupname);
-#endif
-
 	return (0);
 }