From nobody Wed May 27 13:42:11 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4z75FPz6f3lZ
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Wed, 27 May 2026 13:42:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gQW4z2yGXz4KDy
	for <dev-commits-src-all@FreeBSD.org>; Wed, 27 May 2026 13:42:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779889331;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X9lZd9PEueYmbbQ9f94wxZ0KIkQaliH14uzy0oDMPMM=;
	b=q+8m3GiQALTzuylPFHffYhqxVYRrNY/MaT1qD/wG0BN5vou1w8LZ5N4YLpS9MrcdY2oD2Z
	rDZzg/+ek4IZetrCIwPONXpqK9S7apUvq66WI87a98q6Ef48dX1PIFMk8NTZa7VVv0uR6Z
	8BpRhT/Kmv4Ae9IreppMCS7OZldPWkGD+tICXicEQLqzNaKRWs6eyOroSQ44WAgK2VSdxk
	dFw6JrCQq4Lr0emQosLgq0WtenvMNpFZkO0ufEPBMaS7AkWcp8Ub0OJxIzczkoXvo0zPjs
	XeZXdPuJFmFl0nGMg7l6DqHfVquddlQzyaN3HQ30RNmly81hPHiDuXhL48nkTA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779889331; a=rsa-sha256; cv=none;
	b=KqfEzajdqmUfaXMnXkB3NEiAHgw1kF4Yj5BcCsAzDbt3d+xaF/7drcs2IkRLGtufryAMLj
	KonwOb+u0L3+wvLZuerXcxvdbPhxjb4OrUZESCLXsEZK7EvoQ4b9oTYVW4l8DvUR1YfXro
	DWZ48hbsjkfXE+IAUTW+2ucSJyV9E2jxcyY35k+LfwgxxztI+zWDGFC5/0VvYeY7qtiNSy
	kc7nLPIR/t+Gyudu3/YLEsGU7qKx80KtyUb0ktydePYMUQIS37adxAij6sY4yILY3IzJ68
	GmuMw1A0mJ1gyCFePFRJ8No4jmMcWhVLmNg6nYsTJRK/muauNaIoSrLmquCMOw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779889331;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=X9lZd9PEueYmbbQ9f94wxZ0KIkQaliH14uzy0oDMPMM=;
	b=azPb7EK+fKhtmXU43aTbgngpSDRUhIP9hykU03dKEIcJkJLSO57uFzdGJE+K+bP8So9Npc
	tCh2ogFYRC77iEMneALFIO5gi0JC2Bttb9EOuLjz7egAB3TFf/xpvI3y7asng1e8e/c4v2
	oT6/loCGgLNpbimqqCyCEDlw38aMStjNnipiZvKSIkvgnfzjR8HUR2EXveKgDVsQnLbYVU
	7D4S8w7DD7CK/YhyHdIAgyHMqldpArWkq0VG0EgU6/ZVb8UakIyU4pc1KrC5qux7KVeRF9
	A1i4F1GHMntEC7iJfQTZ2C8vx/2FdsjtAaS9gGid2YLy3S9ksMaV0RIq0j9HXw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQW4z2SN9z11q1
	for <dev-commits-src-all@FreeBSD.org>; Wed, 27 May 2026 13:42:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1c5b2
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 27 May 2026 13:42:11 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Teddy Engel <engel.teddy@gmail.com>
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: a98f5fa64217 - stable/14 - ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: a98f5fa642171f1ec89a4b13b23e0fc1c180b663
Auto-Submitted: auto-generated
Date: Wed, 27 May 2026 13:42:11 +0000
Message-Id: <6a16f4b3.1c5b2.5b709294@gitrepo.freebsd.org>

The branch stable/14 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=a98f5fa642171f1ec89a4b13b23e0fc1c180b663

commit a98f5fa642171f1ec89a4b13b23e0fc1c180b663
Author:     Teddy Engel <engel.teddy@gmail.com>
AuthorDate: 2026-05-19 21:36:23 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-05-27 13:42:01 +0000

    ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()
    
    Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
    error handling code path. When ipf_checkicmp6matchingstate() calls
    ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
    NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
    which would crash when trying to access the mbuf via M_LEN().
    
    PR:             288333
    Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
    Signed-off-by:  Teddy Engel <engel.teddy@gmail.com>
    
    (cherry picked from commit cdc40489a7a617b742e295cf9005b3569b45e823)
---
 sys/netpfil/ipfilter/netinet/fil.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index 7d2b21775be9..ebb1d3cd0746 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -920,6 +920,9 @@ ipf_pr_icmp6(fr_info_t *fin)
 			if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
 				break;
 
+			if (fin->fin_m == NULL)
+				break;
+
 			if (M_LEN(fin->fin_m) < fin->fin_plen) {
 				if (ipf_coalesce(fin) != 1)
 					return;