[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in pfioctl.c

To: tech@openbsd.org
Subject: Bug in pfioctl.c
From: Jon Coller <jon@coller.org>
Date: Thu, 18 Mar 2004 08:46:50 -0600
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

While working on a project which needs to insert arbitrary states into 
the state table, I discovered a bug in the combinations of 
pfioctl/pf_state_expires. If pfioctl is used to insert a state (via 
DIOCADDSTATE), the rule pointer is NULL'd before the call to 
pf_insert_state():

/usr/src/sys/net/pf_ioctl.c line 1362:
	state->rule.ptr = NULL;

Then when the state expiry code is called the rule pointer is 
dereferenced, resulting in a crash:

/usr/src/sys/net/pf.c line 711:
	timeout = state->rule.ptr->timeout[state->timeout];

My quick fix was the following change:
/usr/src/sys/net/pf_ioctl.c line 1362:
-	state->rule.ptr = NULL;
+	state->rule.ptr = &pf_default_rule;
While this is not ideal, it works :)

I did a quick grep through the source tree and it doesn't look like 
anyone else is using this ioctl, so it looks like I'm the only one 
affected :)

Thanks,

Jon Coller

Prev by Date: Re: Adding utilities to install environment
Next by Date: Re: Bug in pf_ioctl.c
Prev by thread: Re: Bug in pf_ioctl.c
Next by thread: The 2004 edition of The American Medical Directory emergency medicine, fepg lfvxp
Index(es):
- Date
- Thread