mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-18 15:30:21 +00:00
Code Issues Releases Activity

Fix two places in the ICMP6 code where we could dereference a NULL pointer

Browse Source 
in the icmp6_input() function.

When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
set nicmp6 and n to NULL. Therefore, we should condition our modification
to nicmp6 on n being not NULL.

And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
discontinue further processing and follow the same path as when m_gethdr()
fails.

Reported by:	clang static analyzer
Reviewed by:	ae
MFC after:	2 weeks
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D10941
This commit is contained in:
Jonathan T. Looney 2017-05-30 14:41:31 +00:00
parent 382a6bbcf1
commit fb04394554
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=319215
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/netinet6/icmp6.c
View File

@ -597,9 +597,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
sizeof(*nicmp6)); sizeof(*nicmp6));
noff = off; noff = off;
} }
nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
nicmp6->icmp6_code = 0;
if (n) { if (n) {
nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
nicmp6->icmp6_code = 0;
ICMP6STAT_INC(icp6s_reflect); ICMP6STAT_INC(icp6s_reflect);
ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]); ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]);
icmp6_reflect(n, noff); icmp6_reflect(n, noff);
@ -689,6 +689,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
*/ */
m_free(n); m_free(n);
n = NULL; n = NULL;
break;
} }
maxhlen = M_TRAILINGSPACE(n) - maxhlen = M_TRAILINGSPACE(n) -
(sizeof(*nip6) + sizeof(*nicmp6) + 4); (sizeof(*nip6) + sizeof(*nicmp6) + 4);