From 1ee4405a00d7bcfa5545bba7a78b71cdd4cfdc20 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 12 Jan 2026 17:19:52 +0100 Subject: [PATCH] pf: avoid a shadowed variable in the pf_create_state() source limiter handling the code that unwinds state creation when something fails needed the pf_source variable at the function scope to be set, but this was masked by a declaration in the scope that sets up the source limiting. this results in a NULL deref in the unwind code when it needs to clean up the accounting for a source limiter. i found it funny that i left this comment for myself in the unwinding code: /* who needs KASSERTS when we have NULL derefs */ ok jmatthew@ Obtained from: OpenBSD, dlg , fc9311361f Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 88b110d744e..79948b21842 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6846,9 +6846,9 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx *ctx, srlim = ctx->sourcelim; if (srlim != NULL) { - struct pf_source *sr = ctx->source; unsigned int gen; + sr = ctx->source; if (sr == NULL) { sr = malloc(sizeof(*sr), M_PF_SOURCE_LIM, M_NOWAIT | M_ZERO); if (sr == NULL) {