Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Apr 2018 20:16:42 +0000 (UTC)
From:      "Jonathan T. Looney" <jtl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r332841 - stable/11/sys/netinet6
Message-ID:  <201804202016.w3KKGghi031937@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: jtl
Date: Fri Apr 20 20:16:42 2018
New Revision: 332841
URL: https://svnweb.freebsd.org/changeset/base/332841

Log:
  MFC r319215:
    Fix two places in the ICMP6 code where we could dereference a NULL pointer
    in the icmp6_input() function.
  
    When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
    set nicmp6 and n to NULL. Therefore, we should condition our modification
    to nicmp6 on n being not NULL.
  
    And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
    m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
    line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
    discontinue further processing and follow the same path as when m_gethdr()
    fails.
  
  Reported by:	clang static analyzer
  Sponsored by:	Netflix, Inc.

Modified:
  stable/11/sys/netinet6/icmp6.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet6/icmp6.c
==============================================================================
--- stable/11/sys/netinet6/icmp6.c	Fri Apr 20 20:09:42 2018	(r332840)
+++ stable/11/sys/netinet6/icmp6.c	Fri Apr 20 20:16:42 2018	(r332841)
@@ -596,9 +596,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 			    sizeof(*nicmp6));
 			noff = off;
 		}
-		nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
-		nicmp6->icmp6_code = 0;
 		if (n) {
+			nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
+			nicmp6->icmp6_code = 0;
 			ICMP6STAT_INC(icp6s_reflect);
 			ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]);
 			icmp6_reflect(n, noff);
@@ -688,6 +688,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 				 */
 				m_free(n);
 				n = NULL;
+				break;
 			}
 			maxhlen = M_TRAILINGSPACE(n) -
 			    (sizeof(*nip6) + sizeof(*nicmp6) + 4);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804202016.w3KKGghi031937>