diff options
author | dlg <dlg@openbsd.org> | 2019-11-14 01:02:02 +0000 |
---|---|---|
committer | dlg <dlg@openbsd.org> | 2019-11-14 01:02:02 +0000 |
commit | d0f4f6723adbf04efe0ba88d574a018ed8fdc396 (patch) | |
tree | 8a70e241e357627c77064735d9adbfe6220c5211 /sys/net/if.c | |
parent | in order to be able to figure out the number of signatures left on (diff) | |
download | wireguard-openbsd-d0f4f6723adbf04efe0ba88d574a018ed8fdc396.tar.xz wireguard-openbsd-d0f4f6723adbf04efe0ba88d574a018ed8fdc396.zip |
avoid a use after free in if_delgroup.
if_detach passes the groupname from an ifg_list struct to if_delgroup,
if_delgroup then uses the name to find the same ifg_list struct so
it can free it, and then passes the name from the struct to
pfi_group_change(). at worst this can cause a fault if malloc(9)
actually unmaps the page the struct was on, and at best it causes
pf interfaces with garbage names to be created.
ok sashan@ bluhm@
Diffstat (limited to 'sys/net/if.c')
-rw-r--r-- | sys/net/if.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index 6732e2a0596..b531d66a374 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.598 2019/11/13 21:25:04 bluhm Exp $ */ +/* $OpenBSD: if.c,v 1.599 2019/11/14 01:02:02 dlg Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -2774,6 +2774,10 @@ if_delgroup(struct ifnet *ifp, const char *groupname) free(ifgm, M_TEMP, sizeof(*ifgm)); } +#if NPF > 0 + pfi_group_change(groupname); +#endif + if (--ifgl->ifgl_group->ifg_refcnt == 0) { TAILQ_REMOVE(&ifg_head, ifgl->ifgl_group, ifg_next); #if NPF > 0 @@ -2784,10 +2788,6 @@ if_delgroup(struct ifnet *ifp, const char *groupname) free(ifgl, M_TEMP, sizeof(*ifgl)); -#if NPF > 0 - pfi_group_change(groupname); -#endif - return (0); } |