Date: Thu, 2 Oct 2025 14:25:34 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: f9fc93690aef - main - sys/netinet6: fix memory corruption in in6_ifadd Message-ID: <202510021425.592EPYXH034143@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=f9fc93690aef7a56f62a051de6231fe2af699728 commit f9fc93690aef7a56f62a051de6231fe2af699728 Author: Mateusz Guzik <mjg@netgate.com> AuthorDate: 2025-09-29 15:01:53 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-10-02 13:33:17 +0000 sys/netinet6: fix memory corruption in in6_ifadd The routine allocates the wrong size and then passes it to in6_get_ifid. At the same time it violates invariants by issuing malloc with M_WAITOK while within net epoch section. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netinet6/nd6_rtr.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c index 78dc55dd292f..f9684b085767 100644 --- a/sys/netinet6/nd6_rtr.c +++ b/sys/netinet6/nd6_rtr.c @@ -1243,9 +1243,8 @@ in6_ifadd(struct nd_prefixctl *pr, int mcast) /* No suitable LL address, get the ifid directly */ if (ifid_addr == NULL) { - struct in6_addr taddr; - ifa = ifa_alloc(sizeof(taddr), M_WAITOK); - if (ifa) { + ifa = ifa_alloc(sizeof(struct in6_ifaddr), M_NOWAIT); + if (ifa != NULL) { ib = (struct in6_ifaddr *)ifa; ifid_addr = &ib->ia_addr.sin6_addr; if(in6_get_ifid(ifp, NULL, ifid_addr) != 0) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202510021425.592EPYXH034143>