From 4c4789d368df8953b91c5afdf522b2ca55f42b87 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 29 Dec 2017 23:55:22 +0000
Subject: [PATCH] Make sure that pf_mbuf_link_state_key() does not overwrite an
 existing statekey in the mbuf header.  Reset the statekey in m_dup_pkthdr().
 suggested by and OK sahan@

---
 sys/kern/uipc_mbuf.c | 3 ++-
 sys/net/pf.c         | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c
index bd89446fa98..24c9b5e21a6 100644
--- a/sys/kern/uipc_mbuf.c
+++ b/sys/kern/uipc_mbuf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_mbuf.c,v 1.251 2017/12/29 17:05:25 bluhm Exp $	*/
+/*	$OpenBSD: uipc_mbuf.c,v 1.252 2017/12/29 23:55:22 bluhm Exp $	*/
 /*	$NetBSD: uipc_mbuf.c,v 1.15.4.1 1996/06/13 17:11:44 cgd Exp $	*/
 
 /*
@@ -1325,6 +1325,7 @@ m_dup_pkthdr(struct mbuf *to, struct mbuf *from, int wait)
 	to->m_pkthdr = from->m_pkthdr;
 
 #if NPF > 0
+	to->m_pkthdr.pf.statekey = NULL;
 	pf_mbuf_link_state_key(to, from->m_pkthdr.pf.statekey);
 #endif	/* NPF > 0 */
 
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 02ff6bcefdf..c4fabb3d657 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1053 2017/12/29 17:05:25 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1054 2017/12/29 23:55:22 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -7268,6 +7268,7 @@ pf_mbuf_unlink_state_key(struct mbuf *m)
 void
 pf_mbuf_link_state_key(struct mbuf *m, struct pf_state_key *sk)
 {
+	KASSERT(m->m_pkthdr.pf.statekey == NULL);
 	m->m_pkthdr.pf.statekey = pf_state_key_ref(sk);
 }
 
-- 
2.20.1