Date: Thu, 30 Jul 2020 17:43:23 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r363710 - head/sys/netinet6 Message-ID: <202007301743.06UHhNsm074351@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Thu Jul 30 17:43:23 2020 New Revision: 363710 URL: https://svnweb.freebsd.org/changeset/base/363710 Log: ip6_output(): Check the return value of in6_getlinkifnet(). If the destination address has an embedded scope ID, make sure that it corresponds to a valid ifnet before proceeding. Otherwise a sendto() with a bogus link-local address can trigger a NULL pointer dereference. Reported by: syzkaller Reviewed by: ae Fixes: r358572 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25887 Modified: head/sys/netinet6/ip6_output.c Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Thu Jul 30 17:18:42 2020 (r363709) +++ head/sys/netinet6/ip6_output.c Thu Jul 30 17:43:23 2020 (r363710) @@ -761,6 +761,10 @@ again: IN6_IS_ADDR_MC_NODELOCAL(&dst_sa.sin6_addr)) { if (scopeid > 0) { ifp = in6_getlinkifnet(scopeid); + if (ifp == NULL) { + error = EHOSTUNREACH; + goto bad; + } *dst = dst_sa; /* XXX */ goto nonh6lookup; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007301743.06UHhNsm074351>