Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 9 Jan 2009 21:02:54 +0000 (UTC)
From:      Alexander Motin <mav@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
Subject:   svn commit: r186976 - in stable/7/sys: . contrib/pf dev/ath/ath_hal dev/cxgb netgraph
Message-ID:  <200901092102.n09L2sMa068794@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mav
Date: Fri Jan  9 21:02:54 2009
New Revision: 186976
URL: http://svn.freebsd.org/changeset/base/186976

Log:
  MFC rev. 182995
  
  We can't implicitly trust the hook on NGQF_FN/NGQF_FN2 processing in
  ng_apply_item(). There are possible (and I have got one) use-after-free
  class panics because of it.
  
  If hook is specified, require it to be valid at the apply time. The only
  exceptions are the internal ng_con_part2(), ng_con_part3() and
  ng_rmhook_part2() functions which are specially made to work with invalid
  hooks.

Modified:
  stable/7/sys/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)
  stable/7/sys/dev/ath/ath_hal/   (props changed)
  stable/7/sys/dev/cxgb/   (props changed)
  stable/7/sys/netgraph/ng_base.c

Modified: stable/7/sys/netgraph/ng_base.c
==============================================================================
--- stable/7/sys/netgraph/ng_base.c	Fri Jan  9 20:57:43 2009	(r186975)
+++ stable/7/sys/netgraph/ng_base.c	Fri Jan  9 21:02:54 2009	(r186976)
@@ -2377,19 +2377,27 @@ ng_apply_item(node_p node, item_p item, 
 	case NGQF_FN:
 	case NGQF_FN2:
 		/*
-		 *  We have to implicitly trust the hook,
-		 * as some of these are used for system purposes
-		 * where the hook is invalid. In the case of
-		 * the shutdown message we allow it to hit
+		 * In the case of the shutdown message we allow it to hit
 		 * even if the node is invalid.
 		 */
-		if ((NG_NODE_NOT_VALID(node))
-		&& (NGI_FN(item) != &ng_rmnode)) {
+		if (NG_NODE_NOT_VALID(node) &&
+		    NGI_FN(item) != &ng_rmnode) {
 			TRAP_ERROR();
 			error = EINVAL;
 			NG_FREE_ITEM(item);
 			break;
 		}
+		/* Same is about some internal functions and invalid hook. */
+		if (hook && NG_HOOK_NOT_VALID(hook) &&
+		    NGI_FN2(item) != &ng_con_part2 &&
+		    NGI_FN2(item) != &ng_con_part3 &&
+		    NGI_FN(item) != &ng_rmhook_part2) {
+			TRAP_ERROR();
+			error = EINVAL;
+			NG_FREE_ITEM(item);
+			break;
+		}
+		
 		if ((item->el_flags & NGQF_TYPE) == NGQF_FN) {
 			(*NGI_FN(item))(node, hook, NGI_ARG1(item),
 			    NGI_ARG2(item));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901092102.n09L2sMa068794>