[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug in pf_ioctl.c
On Thu, 18 Mar 2004, Jon Coller wrote:
> Then when the state expiry code is called the rule pointer is
> dereferenced, resulting in a crash:
>
> /usr/src/sys/net/pf.c line 711:
> timeout = state->rule.ptr->timeout[state->timeout];
>
> My quick fix was the following change:
> /usr/src/sys/net/pf_ioctl.c line 1362:
> - state->rule.ptr = NULL;
> + state->rule.ptr = &pf_default_rule;
> While this is not ideal, it works :)
i believe this is a more robust fix, in case the rule is NULL for any
other reason, which appears could happen (or may in the future).
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.430
diff -u -r1.430 pf.c
--- pf.c 2004/03/11 10:15:26 1.430
+++ pf.c 2004/03/18 22:03:56
@@ -701,6 +701,7 @@
u_int32_t start;
u_int32_t end;
u_int32_t states;
+ struct pf_rule *rule;
/* handle all PFTM_* > PFTM_MAX here */
if (state->timeout == PFTM_PURGE)
@@ -708,13 +709,18 @@
if (state->timeout == PFTM_UNTIL_PACKET)
return (0);
KASSERT(state->timeout < PFTM_MAX);
- timeout = state->rule.ptr->timeout[state->timeout];
+ rule = state->rule.ptr;
+ if (rule) {
+ timeout = rule->timeout[state->timeout];
+ start = rule->timeout[PFTM_ADAPTIVE_START];
+ } else {
+ timeout = start = 0;
+ }
if (!timeout)
timeout = pf_default_rule.timeout[state->timeout];
- start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
if (start) {
- end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
- states = state->rule.ptr->states;
+ end = rule->timeout[PFTM_ADAPTIVE_END];
+ states = rule->states;
} else {
start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
--
quit whining you haven't done anything wrong
because frankly you haven't done much of anything