Date: Wed, 27 May 2026 13:41:44 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Teddy Engel <engel.teddy@gmail.com> Subject: git: fefcd4994069 - stable/15 - ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() Message-ID: <6a16f498.1d680.749626c5@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=fefcd4994069de7fe0d4f94f2f9f9d3e5ae47ba2 commit fefcd4994069de7fe0d4f94f2f9f9d3e5ae47ba2 Author: Teddy Engel <engel.teddy@gmail.com> AuthorDate: 2026-05-19 21:36:23 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-05-27 13:41:25 +0000 ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6 error handling code path. When ipf_checkicmp6matchingstate() calls ipf_makefrip() with a synthesized fr_info_t that has fin_m set to NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6() which would crash when trying to access the mbuf via M_LEN(). PR: 288333 MFC after: 1 week Pull Request: https://github.com/freebsd/freebsd-src/pull/2214 Signed-off-by: Teddy Engel <engel.teddy@gmail.com> (cherry picked from commit cdc40489a7a617b742e295cf9005b3569b45e823) --- sys/netpfil/ipfilter/netinet/fil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index cc723eba4ffc..2eb921621f6b 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -916,6 +916,9 @@ ipf_pr_icmp6(fr_info_t *fin) if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) break; + if (fin->fin_m == NULL) + break; + if (M_LEN(fin->fin_m) < fin->fin_plen) { if (ipf_coalesce(fin) != 1) return;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a16f498.1d680.749626c5>