From 35d9e964c12b0c99dbb1c4ae96876e52f250bab0 Mon Sep 17 00:00:00 2001 From: bluhm Date: Sat, 23 Oct 2021 22:00:51 +0000 Subject: [PATCH] Fix use-after-free in ipcomp_output() introduced by previous commit. Retrieve ilen and olen from crypto descriptors before freeing them. Found by regress/sys/netinet/ipsec. OK mpi@ --- sys/netinet/ip_ipcomp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index 1854df89a5d..4a2a52f42af 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.80 2021/10/23 15:42:35 tobhe Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.81 2021/10/23 22:00:51 bluhm Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -526,7 +526,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) /* Release the crypto descriptors */ crypto_freereq(crp); - error = ipcomp_output_cb(tdb, tc, m, crp->crp_ilen, crp->crp_olen); + error = ipcomp_output_cb(tdb, tc, m, ilen, olen); if (error) { ipsecstat_inc(ipsec_odrops); tdb->tdb_odrops++; -- 2.20.1