From 9cffbc68bdc8ce5f3ab4b33314b34ffe3e1a9696 Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Tue, 2 Oct 2018 17:29:56 +0000 Subject: [PATCH] After r338257 is was possible to trigger a KASSERT() in ud6_output() using an application trying to use a v4mapped destination address on a kernel without INET support or on a v6only socket. Catch this case and prevent the packet from going anywhere; else, without the KASSERT() armed, a v4mapped destination address might go out on the wire or other undefined behaviour might happen, while with the KASSERT() we panic. PR: 231728 Reported by: Jeremy Faulkner (gldisater gmail.com) Approved by: re (kib) --- sys/netinet6/udp6_usrreq.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index d5ab934c9d41..93aebbd3440b 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -784,8 +784,20 @@ udp6_output(struct socket *so, int flags_arg, struct mbuf *m, return ((*pru->pru_send)(so, flags_arg, m, (struct sockaddr *)sin6, control, td)); } - } + } else #endif + if (sin6 && IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { + /* + * Given this is either an IPv6-only socket or no INET is + * supported we will fail the send if the given destination + * address is a v4mapped address. + */ + if (unlock_inp == UH_WLOCKED) + INP_WUNLOCK(inp); + else + INP_RUNLOCK(inp); + return (EINVAL); + } if (control) { if ((error = ip6_setpktopts(control, &opt,