d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

In icmp6_rip6_input(), once we have a lock, make sure the inp is

Browse Source 
not freed.  This can happen since the list traversal and locking
was converted to epoch(9).  If the inp is marked "freed", skip it.

This prevents a NULL pointer deref panic in ip6_savecontrol_v4()
trying to access the socket hanging off the inp, which was gone
by the time we got there.

Reported by:	andrew
Tested by:	andrew
Approved by:	re (gjb)
This commit is contained in:
Bjoern A. Zeeb 2018-09-20 15:45:53 +00:00
parent 25ed23cfbb
commit 6675bee81a
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/netinet6/icmp6.c
View File

@ -1936,6 +1936,10 @@ icmp6_rip6_input(struct mbuf **mp, int off)
!IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src))
continue;
INP_RLOCK(in6p);
if (__predict_false(in6p->inp_flags2 & INP_FREED)) {
INP_RUNLOCK(in6p);
continue;
}
if (ICMP6_FILTER_WILLBLOCK(icmp6->icmp6_type,
in6p->in6p_icmp6filt)) {
INP_RUNLOCK(in6p);