Author: jtl
Date: Fri Apr 20 20:16:42 2018
New Revision: 332841
URL: https://svnweb.freebsd.org/changeset/base/332841
Log:
MFC r319215:
Fix two places in the ICMP6 code where we could dereference a NULL pointer
in the icmp6_input() function.
When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
set nicmp6 and n to NULL. Therefore, we should condition our modification
to nicmp6 on n being not NULL.
And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
discontinue further processing and follow the same path as when m_gethdr()
fails.
Reported by: clang static analyzer
Sponsored by: Netflix, Inc.
Modified:
stable/11/sys/netinet6/icmp6.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet6/icmp6.c
==============================================================================
--- stable/11/sys/netinet6/icmp6.c Fri Apr 20 20:09:42 2018
(r332840)
+++ stable/11/sys/netinet6/icmp6.c Fri Apr 20 20:16:42 2018
(r332841)
@@ -596,9 +596,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
sizeof(*nicmp6));
noff = off;
}
- nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
- nicmp6->icmp6_code = 0;
if (n) {
+ nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
+ nicmp6->icmp6_code = 0;
ICMP6STAT_INC(icp6s_reflect);
ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]);
icmp6_reflect(n, noff);
@@ -688,6 +688,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
*/
m_free(n);
n = NULL;
+ break;
}
maxhlen = M_TRAILINGSPACE(n) -
(sizeof(*nip6) + sizeof(*nicmp6) + 4);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
