MFC r316809:
Fix a use after free panic in ipfilter's fragment processing.
Memory is malloc'd, then a search for a match in the fragment table
is made and if the fragment matches, the wrong fragment table is
freed, causing a use after free panic. This commit fixes this.
A symptom of the problem is a kernel page fault in bcopy() called by
ipf_frag_lookup() at line 715 in ip_frag.c. Another symptom is a
kernel page fault in ipf_frag_delete() when called by ipf_frag_expire()
via ipf_slowtimer().
git-svn-id: svn://svn.freebsd.org/base/stable/10@317241
ccf9f872-aa2e-dd11-9fc8-
001c23d0bc1f
projects / FreeBSD / stable / 10.git / commit