Wed May 26 14:48:02 2021 UTC ()
Fix ip_nat memory leak and use-after-free, wrong element freed (Cy Schubert)
https://cgit.freebsd.org/src/commit/?id=323a4e2c4e285e6f8eee8db3fe2cb74


(christos)
diff -r1.23 -r1.24 src/sys/external/bsd/ipf/netinet/ip_nat.c
cvs diff -r1.23 -r1.24 src/sys/external/bsd/ipf/netinet/ip_nat.c (expand / switch to context diff)
--- src/sys/external/bsd/ipf/netinet/ip_nat.c 2020/08/01 06:50:42 1.23
+++ src/sys/external/bsd/ipf/netinet/ip_nat.c 2021/05/26 14:48:02 1.24
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_nat.c,v 1.23 2020/08/01 06:50:42 maxv Exp $	*/
+/*	$NetBSD: ip_nat.c,v 1.24 2021/05/26 14:48:02 christos Exp $	*/
 
 /*
  * Copyright (C) 2012 by Darren Reed.
@@ -112,7 +112,7 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.23 2020/08/01 06:50:42 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_nat.c,v 1.24 2021/05/26 14:48:02 christos Exp $");
 #else
 static const char sccsid[] = "@(#)ip_nat.c	1.11 6/5/96 (C) 1995 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_nat.c,v 1.1.1.2 2012/07/22 13:45:27 darrenr Exp";
@@ -6178,7 +6178,7 @@
 
 	if (n->in_tqehead[0] != NULL) {
 		if (ipf_deletetimeoutqueue(n->in_tqehead[0]) == 0) {
-			ipf_freetimeoutqueue(softc, n->in_tqehead[1]);
+			ipf_freetimeoutqueue(softc, n->in_tqehead[0]);
 		}
 	}