diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-02-18 18:23:42 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-02-18 20:22:53 +0000 |
| commit | d60082f16e4c91d4b97d8b3b56b39fa348ecfbda (patch) | |
| tree | 37cdccc3a5a2febad0fd713ab64eb07e878af37d | |
| parent | e1e18cc12e68762b641646b203d9ac42d10e3b1f (diff) | |
pf: avoid NULL deref on purged states
States can be invalidated and still be present in the state table for a
while (until the pf_purge thread cleans them up). These states might not
have keys set, so we must make sure a state is not purged before we try
to access those keys.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/netpfil/pf/pf.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b7c79437584e..90342f045763 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -2226,8 +2226,10 @@ pf_find_state(struct pf_pdesc *pd, const struct pf_state_key_cmp *key, /* Look through the other list, in case of AF-TO */ idx = idx == PF_SK_WIRE ? PF_SK_STACK : PF_SK_WIRE; TAILQ_FOREACH(s, &sk->states[idx], key_list[idx]) { - if (s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af) + if (s->timeout < PFTM_MAX && + s->key[PF_SK_WIRE]->af == s->key[PF_SK_STACK]->af) continue; + if (s->kif == V_pfi_all || s->kif == pd->kif || s->orig_kif == pd->kif) { PF_STATE_LOCK(s); |