Date: Tue, 30 May 2017 14:41:32 +0000 (UTC) From: "Jonathan T. Looney" <jtl@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r319215 - head/sys/netinet6 Message-ID: <201705301441.v4UEfW0q050277@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jtl Date: Tue May 30 14:41:31 2017 New Revision: 319215 URL: https://svnweb.freebsd.org/changeset/base/319215 Log: Fix two places in the ICMP6 code where we could dereference a NULL pointer in the icmp6_input() function. When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will set nicmp6 and n to NULL. Therefore, we should condition our modification to nicmp6 on n being not NULL. And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if m_dup_pkthdr() fails, the code will set n to NULL. However, the very next line dereferences n. Therefore, when m_dup_pkthdr() fails, we should discontinue further processing and follow the same path as when m_gethdr() fails. Reported by: clang static analyzer Reviewed by: ae MFC after: 2 weeks Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D10941 Modified: head/sys/netinet6/icmp6.c Modified: head/sys/netinet6/icmp6.c ============================================================================== --- head/sys/netinet6/icmp6.c Tue May 30 14:32:44 2017 (r319214) +++ head/sys/netinet6/icmp6.c Tue May 30 14:41:31 2017 (r319215) @@ -597,9 +597,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) sizeof(*nicmp6)); noff = off; } - nicmp6->icmp6_type = ICMP6_ECHO_REPLY; - nicmp6->icmp6_code = 0; if (n) { + nicmp6->icmp6_type = ICMP6_ECHO_REPLY; + nicmp6->icmp6_code = 0; ICMP6STAT_INC(icp6s_reflect); ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]); icmp6_reflect(n, noff); @@ -689,6 +689,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto) */ m_free(n); n = NULL; + break; } maxhlen = M_TRAILINGSPACE(n) - (sizeof(*nip6) + sizeof(*nicmp6) + 4);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705301441.v4UEfW0q050277>