Date: Wed, 28 Oct 2020 20:27:22 +0000 From: Alexander V. Chernikov <melifaro@ipfw.ru> To: Maxime Villard <max@m00nbsd.net>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: remote use-after-free in icmp6 Message-ID: <3581301603916797@mail.yandex.ru> In-Reply-To: <5142321603916685@mail.yandex.ru> References: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> <5142321603916685@mail.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro@ipfw.ru>: > 28.10.2020, 18:34, "Maxime Villard" <max@m00nbsd.net>: >> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when >> iterating over the next IPv6 options the kernel can free that mbuf, meaning >> the dereferences of 'finaldst' hit a freed buffer. [sorry for reposting, plaintext this time] > Fixed in r367114, thanks for reporting! >> Note that this is triggerable without specific conditions, over just ICMPv6. >> >> Maxime >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3581301603916797>