pf: avoid a shadowed variable in the pf_create_state() source limiter handling

the code that unwinds state creation when something fails needed
the pf_source variable at the function scope to be set, but this
was masked by a declaration in the scope that sets up the source
limiting. this results in a NULL deref in the unwind code when it
needs to clean up the accounting for a source limiter.

i found it funny that i left this comment for myself in the unwinding
code:

        /* who needs KASSERTS when we have NULL derefs */

ok jmatthew@

Obtained from:	OpenBSD, dlg <dlg@openbsd.org>, fc9311361f
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-01-12 17:19:52 +01:00
parent 1550fcf802
commit 1ee4405a00
+1 -1
View File
@@ -6846,9 +6846,9 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx *ctx,
srlim = ctx->sourcelim;
if (srlim != NULL) {
struct pf_source *sr = ctx->source;
unsigned int gen;
sr = ctx->source;
if (sr == NULL) {
sr = malloc(sizeof(*sr), M_PF_SOURCE_LIM, M_NOWAIT | M_ZERO);
if (sr == NULL) {