Comment 1 Oliver Pinter 2015-05-15 16:43:29 UTC

https://github.com/opnsense/src/commit/6cec1085278c191c5fca3c5c77048e963e6854e7
https://github.com/HardenedBSD/hardenedBSD-playground/commit/6c36a040d282d333c3c40434a462a07f4c118f64

Comment 2 Gleb Smirnoff 2015-05-18 14:52:59 UTC

The patches referenced don't look like patches to FreeBSD head or stable/10. There is no pd.act.qid in FreeBSD pf.

Can you please better explain the problem?

Please ignore the first commit, it is based on 10.1-RELENG.  The second patch is for 10-STABLE.

The problem still stands: if pf_get_mtag() fails, in those instances NULL is dereferenced.

Comment 4 Gleb Smirnoff 2015-05-18 15:01:22 UTC

I've found the context and the problem. Thanks.

Comment 5 commit-hook 2015-05-18 15:06:08 UTC

A commit references this bug:

Author: glebius
Date: Mon May 18 15:05:13 UTC 2015
New revision: 283061
URL: https://svnweb.freebsd.org/changeset/base/283061

Log:
  Don't dereference NULL is pf_get_mtag() fails.

  PR:		200222
  Submitted by:	Franco Fichtner <franco opnsense.org>

Changes:
  head/sys/netpfil/pf/pf.c

Thanks.  Is this also going to get backported to 10-STABLE?

Comment 7 Gleb Smirnoff 2015-05-18 15:25:48 UTC

Should be, if I don't forget :)

Comment 8 Oliver Pinter 2015-05-18 15:47:21 UTC

Seems like you missed one part of the patch at there:
https://github.com/HardenedBSD/hardenedBSD-playground/commit/6c36a040d282d333c3c40434a462a07f4c118f64#diff-4f594011be0477d0b5f594cd00a64245R5919 .

See there: https://github.com/freebsd/freebsd/blob/af369a5484f0ba2dd39bbe4b1e3566e14f23bb4e/sys/netpfil/pf/pf.c#L5953

Comment 9 Gleb Smirnoff 2015-05-18 15:52:01 UTC

Thanks, Oliver!

Comment 10 commit-hook 2015-05-18 15:52:12 UTC

A commit references this bug:

Author: glebius
Date: Mon May 18 15:51:28 UTC 2015
New revision: 283063
URL: https://svnweb.freebsd.org/changeset/base/283063

Log:
  A miss from r283061: don't dereference NULL is pf_get_mtag() fails.

  PR:		200222
  Submitted by:	Franco Fichtner <franco opnsense.org>

Changes:
  head/sys/netpfil/pf/pf.c

Comment 11 Oliver Pinter 2015-06-22 19:27:38 UTC

Gleb, could you please MFC this change to 10-STABLE before the 10.2-RELEASE is out?

Yes, let's get this into stable/10. :)

A MFC in time for 10.2 would be awesome.  :)

Comment 14 Glen Barber 2015-07-03 23:39:17 UTC

No need to CC me, I read RE email.

Comment 15 commit-hook 2015-07-28 09:17:04 UTC

A commit references this bug:

Author: glebius
Date: Tue Jul 28 09:16:55 UTC 2015
New revision: 285941
URL: https://svnweb.freebsd.org/changeset/base/285941

Log:
  Merge r283061, r283063: don't dereference NULL is pf_get_mtag() fails.

  PR:		200222

Changes:
_U  stable/10/
  stable/10/sys/netpfil/pf/pf.c

Comment 16 commit-hook 2015-07-29 14:17:30 UTC

A commit references this bug:

Author: glebius
Date: Wed Jul 29 14:16:27 UTC 2015
New revision: 286014
URL: https://svnweb.freebsd.org/changeset/base/286014

Log:
  Merge r285939-285941,285943,286004 from stable/10:
  - Protect against ioctl() vs ioctl() races.
  - Always lock hash row of a source node when updating
    its 'states' counter. [1]
  - Don't dereference NULL is pf_get_mtag() fails. [2]
  - During module unload drop locks before destroying UMA zone.

  PR:		182401 [1]
  PR:		200222 [2]
  Approved by:	re (gjb)

Changes:
_U  releng/10.2/
  releng/10.2/sys/net/pfvar.h
  releng/10.2/sys/netpfil/pf/pf.c
  releng/10.2/sys/netpfil/pf/pf_ioctl.c