Wed May 26 14:48:02 2021 UTC ()
Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74


(christos)
diff -r1.23 -r1.24 src/sys/external/bsd/ipf/netinet/ip_nat.c
cvs diff -r1.23 -r1.24 src/sys/external/bsd/ipf/netinet/ip_nat.c (expand / switch to unified diff)

--- src/sys/external/bsd/ipf/netinet/ip_nat.c 2020/08/01 06:50:42 1.23
+++ src/sys/external/bsd/ipf/netinet/ip_nat.c 2021/05/26 14:48:02 1.24
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ip_nat.c,v 1.23 2020/08/01 06:50:42 maxv Exp $ */ 1/* $NetBSD: ip_nat.c,v 1.24 2021/05/26 14:48:02 christos Exp $ */
2 2
3/* 3/*
4 * Copyright (C) 2012 by Darren Reed. 4 * Copyright (C) 2012 by Darren Reed.
5 * 5 *
6 * See the IPFILTER.LICENCE file for details on licencing. 6 * See the IPFILTER.LICENCE file for details on licencing.
7 */ 7 */
8#if defined(KERNEL) || defined(_KERNEL) 8#if defined(KERNEL) || defined(_KERNEL)
9# undef KERNEL 9# undef KERNEL
10# undef KERNEL 10# undef KERNEL
11# define KERNEL 1 11# define KERNEL 1
12# define KERNEL 1 12# define KERNEL 1
13#endif 13#endif
14#include <sys/errno.h> 14#include <sys/errno.h>
@@ -102,27 +102,27 @@ extern struct ifnet vpnif; @@ -102,27 +102,27 @@ extern struct ifnet vpnif;
102#ifdef HAS_SYS_MD5_H 102#ifdef HAS_SYS_MD5_H
103# include <sys/md5.h> 103# include <sys/md5.h>
104#else 104#else
105# include "md5.h" 105# include "md5.h"
106#endif 106#endif
107/* END OF INCLUDES */ 107/* END OF INCLUDES */
108 108
109#undef SOCKADDR_IN 109#undef SOCKADDR_IN
110#define SOCKADDR_IN struct sockaddr_in 110#define SOCKADDR_IN struct sockaddr_in
111 111
112#if !defined(lint) 112#if !defined(lint)
113#if defined(__NetBSD__) 113#if defined(__NetBSD__)
114#include <sys/cdefs.h> 114#include <sys/cdefs.h>
115__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.23 2020/08/01 06:50:42 maxv Exp $"); 115__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.24 2021/05/26 14:48:02 christos Exp $");
116#else 116#else
117static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; 117static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
118static const char rcsid[] = "@(#)Id: ip_nat.c,v 1.1.1.2 2012/07/22 13:45:27 darrenr Exp"; 118static const char rcsid[] = "@(#)Id: ip_nat.c,v 1.1.1.2 2012/07/22 13:45:27 darrenr Exp";
119#endif 119#endif
120#endif 120#endif
121 121
122 122
123#define NATFSUM(n,v,f) ((v) == 4 ? (n)->f.in4.s_addr : (n)->f.i6[0] + \ 123#define NATFSUM(n,v,f) ((v) == 4 ? (n)->f.in4.s_addr : (n)->f.i6[0] + \
124 (n)->f.i6[1] + (n)->f.i6[2] + (n)->f.i6[3]) 124 (n)->f.i6[1] + (n)->f.i6[2] + (n)->f.i6[3])
125#define NBUMP(x) softn->(x)++ 125#define NBUMP(x) softn->(x)++
126#define NBUMPD(x, y) do { \ 126#define NBUMPD(x, y) do { \
127 softn->x.y++; \ 127 softn->x.y++; \
128 DT(y); \ 128 DT(y); \
@@ -6168,27 +6168,27 @@ ipf_nat_rule_deref(ipf_main_softc_t *sof @@ -6168,27 +6168,27 @@ ipf_nat_rule_deref(ipf_main_softc_t *sof
6168 if (n->in_redir & NAT_REDIRECT) { 6168 if (n->in_redir & NAT_REDIRECT) {
6169 if ((n->in_flags & IPN_PROXYRULE) == 0) { 6169 if ((n->in_flags & IPN_PROXYRULE) == 0) {
6170 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr); 6170 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_rdr);
6171 } 6171 }
6172 } 6172 }
6173 if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) { 6173 if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) {
6174 if ((n->in_flags & IPN_PROXYRULE) == 0) { 6174 if ((n->in_flags & IPN_PROXYRULE) == 0) {
6175 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map); 6175 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules_map);
6176 } 6176 }
6177 } 6177 }
6178 6178
6179 if (n->in_tqehead[0] != NULL) { 6179 if (n->in_tqehead[0] != NULL) {
6180 if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) { 6180 if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
6181 ipf_freetimeoutqueue(softc, n->in_tqehead[1]); 6181 ipf_freetimeoutqueue(softc, n->in_tqehead[0]);
6182 } 6182 }
6183 } 6183 }
6184 6184
6185 if (n->in_tqehead[1] != NULL) { 6185 if (n->in_tqehead[1] != NULL) {
6186 if (ipf_deletetimeoutqueue(n->in_tqehead[1]) == 0) { 6186 if (ipf_deletetimeoutqueue(n->in_tqehead[1]) == 0) {
6187 ipf_freetimeoutqueue(softc, n->in_tqehead[1]); 6187 ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
6188 } 6188 }
6189 } 6189 }
6190 6190
6191 if ((n->in_flags & IPN_PROXYRULE) == 0) { 6191 if ((n->in_flags & IPN_PROXYRULE) == 0) {
6192 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules); 6192 ATOMIC_DEC32(softn->ipf_nat_stats.ns_rules);
6193 } 6193 }
6194 6194