Date: Sat, 19 Jul 2025 19:21:04 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288333] NULL dereference in ipf_pr_icmp6 Message-ID: <bug-288333-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288333 Bug ID: 288333 Summary: NULL dereference in ipf_pr_icmp6 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #262288 text/plain mime type: Created attachment 262288 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=262288&action=edit send a packet that causes ipf_pr_icmp6() to dereference NULL I've attached a demo program that sets up ipf with pass out quick on tap1 proto tcp from any to any port = 22 flags S keep state and sends an outgoing tap0->tap1 inet6/tcp packet to set up state, and then sends an inward inet6/IPPROTO_AH packet on tap1 that, because it has ttl=0, is rejected by ip6_forward(). As part of generating an ICMPV6 error packet, ipf_checkicmp6matchingstate() says ofin.fin_m = NULL; /* if dereferenced, panic XXX */ ... (void) ipf_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin); the latter causes ipf_pr_icmp6() to be called, which says case ICMP6_DST_UNREACH : case ICMP6_PACKET_TOO_BIG : case ICMP6_TIME_EXCEEDED : case ICMP6_PARAM_PROB : ... if (M_LEN(fin->fin_m) < fin->fin_plen) { #0 0xffffffc0000885d2 in ipf_pr_icmp6 (fin=0xffffffc082adfd90) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:908 #1 ipf_pr_ipv6hdr (fin=0xffffffc082adfd90) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:481 #2 ipf_makefrip (hlen=<optimized out>, ip=<optimized out>, fin=0xffffffc082adfd90) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:2023 #3 0xffffffc0000b1972 in ipf_checkicmp6matchingstate (fin=<optimized out>) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:4391 #4 0xffffffc0000b0f62 in ipf_state_lookup (fin=0xffffffc082ae00d0, tcp=0xffffffd00192cc88, ifqp=0xffffffc082ae0058) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:3057 #5 0xffffffc0000b1f5e in ipf_state_check (fin=0x92, passp=0xffffffc082ae00cc) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:3252 #6 0xffffffc00008988e in ipf_check (ctx=0xffffffc03decf000, ip=<optimized out>, hlen=<optimized out>, ifp=<optimized out>, out=1, mp=0xffffffc082ae0460) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:2971 #7 0xffffffc000095d6e in ipf_check_wrapper6 (mp=0xffffffc082ae0460, ifp=0x3, flags=<optimized out>, ruleset=<optimized out>, inp=<optimized out>) at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c:137 #8 0xffffffc0005bdd9e in pfil_mbuf_common (pch=<optimized out>, m=0xffffffc082ae0460, ifp=0xffffffd018c4d800, flags=131072, inp=0x0) at /usr/rtm/symbsd/src/sys/net/pfil.c:213 #9 pfil_mbuf_out (head=<optimized out>, m=0xffffffc082ae0460, ifp=0xffffffd018c4d800, inp=0x0) at /usr/rtm/symbsd/src/sys/net/pfil.c:239 #10 0xffffffc00071e12c in ip6_output (m0=<optimized out>, opt=0x0, ro=0x0, flags=<optimized out>, im6o=<optimized out>, ifpp=0xffffffc082ae0510, inp=0x0) at /usr/rtm/symbsd/src/sys/netinet6/ip6_output.c:1027 #11 0xffffffc000703ea6 in icmp6_reflect (m=0xffffffd018b73500, off=<optimized out>) at /usr/rtm/symbsd/src/sys/netinet6/icmp6.c:2171 #12 0xffffffc000703738 in icmp6_error (m=0xffffffd018b73500, type=<optimized out>, code=0, param=0) at /usr/rtm/symbsd/src/sys/netinet6/icmp6.c:390 #13 0xffffffc000717790 in ip6_forward (m=0xffffffd018b73400, srcrt=<optimized out>) at /usr/rtm/symbsd/src/sys/netinet6/ip6_forward.c:135 #14 0xffffffc000718e94 in ip6_input (m=0xffffffd018b73400) at /usr/rtm/symbsd/src/sys/netinet6/ip6_input.c:903 if (M_LEN(fin->fin_m) < fin->fin_plen) { (gdb) print fin->fin_m $14 = (mb_t *) 0x0 -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-288333-227>