Diffusion FreeBSD src repository 0ba9cb5e710f

dummynet: fix wf2q use-after-free
0ba9cb5e710f
Actions

Description

dummynet: fix wf2q use-after-free

When we clean up a wf2q+ queue we need to ensure that we remove it from
the correct heap. If we leave a queue pointer behind in an unexpected
heap we'll later write to it, causing a use-after-free and unpredictable
panics.

Teach the dummynet heap code to verify that we're removing the correct
object so we can safely attempt to remove objects not contained in the
heap.

Remove a to-be-removed queue from all heaps.

Also don't continue the enqueue function if we're not finding the queue
on the idle heap as we'd expect.

While here also remove the empty heap warning, because this is now
expected to happen.

See also: https://redmine.pfsense.org/issues/14433
Sponsored by: Rubicon Communications, LLC ("Netgate")

Details

Provenance

kp	Authored on Jun 12 2023, 1:05 PM

Parents

rG081acb837cd3: dummynet: remove unused field from dn_pkt_tag

Branches

Unknown

Tags

Unknown

Event Timeline

kp committed rG0ba9cb5e710f: dummynet: fix wf2q use-after-free (authored by kp).Jun 13 2023, 1:51 PM

Changes (3)

Path

Size

sys/

netpfil/

ipfw/

dn_heap.c

dn_heap.h

dn_sched_wf2q.c

rG0ba9cb5e710f

View Options

sys/netpfil/ipfw/dn_heap.c

View Options

sys/netpfil/ipfw/dn_heap.h

View Options

sys/netpfil/ipfw/dn_sched_wf2q.c

dummynet: fix wf2q use-after-free0ba9cb5e710fActions

Description

Details

Event Timeline

Changes (3)

rG0ba9cb5e710f

sys/netpfil/ipfw/dn_heap.c

sys/netpfil/ipfw/dn_heap.h

sys/netpfil/ipfw/dn_sched_wf2q.c

dummynet: fix wf2q use-after-free
0ba9cb5e710f
Actions