diff options
| author | Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org> | 2026-04-14 09:36:53 +0000 |
|---|---|---|
| committer | Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org> | 2026-04-14 10:32:56 +0000 |
| commit | 7d38eb720a8d8345949986d779e785984ae19ae0 (patch) | |
| tree | 18c0efd0d172140cab3b1894f257372a291afaf7 | |
| parent | 439132310ae1f623f6c0a3dc241d0a34e98e040b (diff) | |
routing: Fix use-after-free in finalize_nhop
FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
`nh->nh_priv->nh_upper_family` for failure logging.
Call FIB_NH_LOG before freeing nh so failures are logged
without causing a panic.
MFC after: 3 days
| -rw-r--r-- | sys/net/route/nhop_ctl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/route/nhop_ctl.c b/sys/net/route/nhop_ctl.c index 6c03e621ed82..52e7b0fefcd2 100644 --- a/sys/net/route/nhop_ctl.c +++ b/sys/net/route/nhop_ctl.c @@ -491,17 +491,17 @@ finalize_nhop(struct nh_control *ctl, struct nhop_object *nh, bool link) /* Allocate per-cpu packet counter */ nh->nh_pksent = counter_u64_alloc(M_NOWAIT); if (nh->nh_pksent == NULL) { + FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "counter_u64_alloc() failed"); return (ENOMEM); } if (!reference_nhop_deps(nh)) { + FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); counter_u64_free(nh->nh_pksent); nhop_free(nh); RTSTAT_INC(rts_nh_alloc_failure); - FIB_NH_LOG(LOG_WARNING, nh, "interface reference failed"); return (EAGAIN); } |