Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 May 2017 14:41:32 +0000 (UTC)
From:      "Jonathan T. Looney" <jtl@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r319215 - head/sys/netinet6
Message-ID:  <201705301441.v4UEfW0q050277@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: jtl
Date: Tue May 30 14:41:31 2017
New Revision: 319215
URL: https://svnweb.freebsd.org/changeset/base/319215

Log:
  Fix two places in the ICMP6 code where we could dereference a NULL pointer
  in the icmp6_input() function.
  
  When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
  set nicmp6 and n to NULL. Therefore, we should condition our modification
  to nicmp6 on n being not NULL.
  
  And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
  m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
  line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
  discontinue further processing and follow the same path as when m_gethdr()
  fails.
  
  Reported by:	clang static analyzer
  Reviewed by:	ae
  MFC after:	2 weeks
  Sponsored by:	Netflix
  Differential Revision:	https://reviews.freebsd.org/D10941

Modified:
  head/sys/netinet6/icmp6.c

Modified: head/sys/netinet6/icmp6.c
==============================================================================
--- head/sys/netinet6/icmp6.c	Tue May 30 14:32:44 2017	(r319214)
+++ head/sys/netinet6/icmp6.c	Tue May 30 14:41:31 2017	(r319215)
@@ -597,9 +597,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 			    sizeof(*nicmp6));
 			noff = off;
 		}
-		nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
-		nicmp6->icmp6_code = 0;
 		if (n) {
+			nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
+			nicmp6->icmp6_code = 0;
 			ICMP6STAT_INC(icp6s_reflect);
 			ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]);
 			icmp6_reflect(n, noff);
@@ -689,6 +689,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 				 */
 				m_free(n);
 				n = NULL;
+				break;
 			}
 			maxhlen = M_TRAILINGSPACE(n) -
 			    (sizeof(*nip6) + sizeof(*nicmp6) + 4);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705301441.v4UEfW0q050277>