Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 May 2026 13:41:43 +0000
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Teddy Engel <engel.teddy@gmail.com>
Subject:   git: b2076f39a117 - stable/15 - ipfilter: Add NULL check for fin_dp in ICMP packet handlers
Message-ID:  <6a16f497.1c535.72b4fc66@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=b2076f39a11723506f202f980fda281af3448bf4

commit b2076f39a11723506f202f980fda281af3448bf4
Author:     Teddy Engel <engel.teddy@gmail.com>
AuthorDate: 2026-05-19 21:36:15 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-05-27 13:41:25 +0000

    ipfilter: Add NULL check for fin_dp in ICMP packet handlers
    
    Add NULL checks for fin->fin_dp in ipf_pr_icmp6() and ipf_pr_icmp()
    before dereferencing. When processing packets with IPv6 extension
    headers, ipf_pr_pullup() can succeed but fin->fin_dp may still be NULL
    due to extension header processing leaving insufficient data for the
    protocol header.
    
    PR:             288333
    Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
    Signed-off-by:  Teddy Engel <engel.teddy@gmail.com>
    
    (cherry picked from commit 68ed81631afa20c07883f7f60343f6da8397ee41)
---
 sys/netpfil/ipfilter/netinet/fil.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index 8acf37c4c81f..cc723eba4ffc 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -890,6 +890,8 @@ ipf_pr_icmp6(fr_info_t *fin)
 		ip6_t *ip6;
 
 		icmp6 = fin->fin_dp;
+		if (icmp6 == NULL)
+			return;
 
 		fin->fin_data[0] = *(u_short *)icmp6;
 
@@ -1198,6 +1200,8 @@ ipf_pr_icmp(fr_info_t *fin)
 	}
 
 	icmp = fin->fin_dp;
+	if (icmp == NULL)
+		return;
 
 	fin->fin_data[0] = *(u_short *)icmp;
 	fin->fin_data[1] = icmp->icmp_id;
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a16f497.1c535.72b4fc66>