Date: Wed, 28 Oct 2020 19:34:34 +0100 From: Maxime Villard <max@m00nbsd.net> To: <freebsd-net@freebsd.org> Subject: remote use-after-free in icmp6 Message-ID: <0d6f3bc8-d727-892b-be8e-947c9dfddc24@m00nbsd.net>
next in thread | raw e-mail | index | archive | help
In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when iterating over the next IPv6 options the kernel can free that mbuf, meaning the dereferences of 'finaldst' hit a freed buffer. Note that this is triggerable without specific conditions, over just ICMPv6. Maxime
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0d6f3bc8-d727-892b-be8e-947c9dfddc24>