diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-10-17 07:24:41 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-10-17 07:24:41 +0000 |
| commit | b136983a8a786677967b532fe74ae7975deec47b (patch) | |
| tree | 7096ee747019a844d6e2d1af2a15c71f3320bb9f | |
| parent | 865f46b255599c4a645e84a4cbb5ea7abdc0e207 (diff) | |
| download | src-b136983a8a786677967b532fe74ae7975deec47b.tar.gz src-b136983a8a786677967b532fe74ae7975deec47b.zip | |
if_ovpn: fix use-after-free
ovpn_encrypt_tx_cb() calls ovpn_encap() to transmit a packet, then adds
the length of the packet to the "tunnel_bytes_sent" counter. However,
after ovpn_encap() returns 0, the mbuf chain may have been freed, so the
load of m->m_pkthdr.len may be a use-after-free.
Reported by: markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/net/if_ovpn.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 55da53ae3eb6..524640639e76 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1382,6 +1382,7 @@ ovpn_encrypt_tx_cb(struct cryptop *crp) struct ovpn_kpeer *peer = crp->crp_opaque; struct ovpn_softc *sc = peer->sc; struct mbuf *m = crp->crp_buf.cb_mbuf; + int tunnel_len; int ret; if (crp->crp_etype != 0) { @@ -1397,11 +1398,11 @@ ovpn_encrypt_tx_cb(struct cryptop *crp) MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); + tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header); ret = ovpn_encap(sc, peer->peerid, m); if (ret == 0) { OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); - OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, m->m_pkthdr.len - - sizeof(struct ovpn_wire_header)); + OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); } CURVNET_RESTORE(); |