Site Navigation

Date:      Thu, 30 Jul 2020 00:52:37 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r363682 - head/sys/kern
Message-ID:  <202007300052.06U0qb7K044356@repo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: markj
Date: Thu Jul 30 00:52:37 2020
New Revision: 363682
URL: https://svnweb.freebsd.org/changeset/base/363682

Log:
  Fix a logic error in uipc_ready_scan().
  
  When processing the last record in a socket buffer, take care to avoid a
  NULL pointer dereference when advancing the record iterator.
  
  Reported by:	syzbot+6a689cc9c27bd265237a@syzkaller.appspotmail.com
  Fixes:		r359778
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c	Wed Jul 29 23:59:35 2020	(r363681)
+++ head/sys/kern/uipc_usrreq.c	Thu Jul 30 00:52:37 2020	(r363682)
@@ -1279,7 +1279,8 @@ uipc_ready_scan(struct socket *so, struct mbuf *m, int
 			mb = mb->m_next;
 			if (mb == NULL) {
 				mb = n;
-				n = mb->m_nextpkt;
+				if (mb != NULL)
+					n = mb->m_nextpkt;
 			}
 		}
 	}

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007300052.06U0qb7K044356>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact