diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-01-12 16:19:52 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-01-14 06:44:43 +0000 |
| commit | 1ee4405a00d7bcfa5545bba7a78b71cdd4cfdc20 (patch) | |
| tree | 4a613391287960395719b7a0bd59777341cfb503 | |
| parent | 1550fcf802e3413e2ecb39fd81f7bff1c134c3f3 (diff) | |
pf: avoid a shadowed variable in the pf_create_state() source limiter handling
the code that unwinds state creation when something fails needed
the pf_source variable at the function scope to be set, but this
was masked by a declaration in the scope that sets up the source
limiting. this results in a NULL deref in the unwind code when it
needs to clean up the accounting for a source limiter.
i found it funny that i left this comment for myself in the unwinding
code:
/* who needs KASSERTS when we have NULL derefs */
ok jmatthew@
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, fc9311361f
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/netpfil/pf/pf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 88b110d744ee..79948b218428 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6846,9 +6846,9 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx *ctx, srlim = ctx->sourcelim; if (srlim != NULL) { - struct pf_source *sr = ctx->source; unsigned int gen; + sr = ctx->source; if (sr == NULL) { sr = malloc(sizeof(*sr), M_PF_SOURCE_LIM, M_NOWAIT | M_ZERO); if (sr == NULL) { |