talexander
/
freebsd_amp_hwpstate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix null deref in mld_v1_transmit_report 

After r337866 it is possible for an in_multi6 to be referenced while
mid teardown. Handle case of cleared ifnet pointer.

Reported by:	ae
This commit is contained in:
Matt Macy 2018-08-21 23:03:02 +00:00
parent 77ad07b6a3
commit f3499ce48f
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/netinet6/mld6.c
View File

@ -1798,8 +1798,11 @@ mld_v1_transmit_report(struct in6_multi *in6m, const int type)
IN6_MULTI_LIST_LOCK_ASSERT();
MLD_LOCK_ASSERT();
ifp = in6m->in6m_ifp;
/* in process of being freed */
if (ifp == NULL)
return (0);
ia = in6ifa_ifpforlinklocal(ifp, IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
/* ia may be NULL if link-local address is tentative. */