https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201879
--- Comment #5 from [email protected] --- A commit references this bug: Author: kp Date: Wed Jul 29 06:35:37 UTC 2015 New revision: 285999 URL: https://svnweb.freebsd.org/changeset/base/285999 Log: pf: Always initialise pf_fragment.fr_flags When we allocate the struct pf_fragment in pf_fillup_fragment() we forgot to initialise the fr_flags field. As a result we sometimes mistakenly thought the fragment to not be a buffered fragment. This resulted in panics because we'd end up freeing the pf_fragment but not removing it from V_pf_fragqueue (believing it to be part of V_pf_cachequeue). The next time we iterated V_pf_fragqueue we'd use a freed object and panic. While here also fix a pf_fragment use after free in pf_normalize_ip(). pf_reassemble() frees the pf_fragment, so we can't use it any more. PR: 201879, 201932 MFC after: 5 days Changes: head/sys/netpfil/pf/pf_norm.c -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
