K 10
svn:author
V 2
cy
K 8
svn:date
V 27
2023-02-09T21:23:06.693125Z
K 7
svn:log
V 833
ipfilter: Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arragned contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortuntely the eroneous packet is not flagged for drop.
This results in a kernel page fault at line 410 of sys/netinet/ip_fastfwd.c
as it tries to use a now previously freed, by m_pullup(), mbuf.

PR:		266442
Reported by:	Robert Morris <rtm@lcs.mit.edu>

(cherry picked from commit 79f7745c098a766d34a4e072cdd1a06e6d0829d5)

Git Hash:   351f2f68852ac3e1d0ef745dc024dd745b07a34f
Git Author: cy@FreeBSD.org
END