Date: Wed, 4 Nov 2020 19:41:01 -0500 From: mike tancsa <mike@sentex.net> To: "Alexander V. Chernikov" <melifaro@ipfw.ru>, Maxime Villard <max@m00nbsd.net>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: remote use-after-free in icmp6 Message-ID: <e3c0495f-4d68-6904-b5b5-a860d0ac1aee@sentex.net> In-Reply-To: <3581301603916797@mail.yandex.ru> References: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net> <5142321603916685@mail.yandex.ru> <3581301603916797@mail.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Is this an issue in HEAD only ? Or is it something that needs to be MFC'd ? ---Mike On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote: > 28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro@ipfw.ru>: >> 28.10.2020, 18:34, "Maxime Villard" <max@m00nbsd.net>: >>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when >>> iterating over the next IPv6 options the kernel can free that mbuf, meaning >>> the dereferences of 'finaldst' hit a freed buffer. > [sorry for reposting, plaintext this time] >> Fixed in r367114, thanks for reporting! >>> Note that this is triggerable without specific conditions, over just ICMPv6. >>> >>> Maxime >>> _______________________________________________ >>> freebsd-net@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-net >>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e3c0495f-4d68-6904-b5b5-a860d0ac1aee>