Date: Wed, 27 May 2026 13:42:11 +0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Teddy Engel <engel.teddy@gmail.com> Subject: git: a98f5fa64217 - stable/14 - ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() Message-ID: <6a16f4b3.1c5b2.5b709294@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=a98f5fa642171f1ec89a4b13b23e0fc1c180b663 commit a98f5fa642171f1ec89a4b13b23e0fc1c180b663 Author: Teddy Engel <engel.teddy@gmail.com> AuthorDate: 2026-05-19 21:36:23 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2026-05-27 13:42:01 +0000 ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6 error handling code path. When ipf_checkicmp6matchingstate() calls ipf_makefrip() with a synthesized fr_info_t that has fin_m set to NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6() which would crash when trying to access the mbuf via M_LEN(). PR: 288333 Pull Request: https://github.com/freebsd/freebsd-src/pull/2214 Signed-off-by: Teddy Engel <engel.teddy@gmail.com> (cherry picked from commit cdc40489a7a617b742e295cf9005b3569b45e823) --- sys/netpfil/ipfilter/netinet/fil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 7d2b21775be9..ebb1d3cd0746 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -920,6 +920,9 @@ ipf_pr_icmp6(fr_info_t *fin) if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) break; + if (fin->fin_m == NULL) + break; + if (M_LEN(fin->fin_m) < fin->fin_plen) { if (ipf_coalesce(fin) != 1) return;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a16f4b3.1c5b2.5b709294>