Author: markj Date: Thu Jul 30 00:52:37 2020 New Revision: 363682 URL: https://svnweb.freebsd.org/changeset/base/363682
Log: Fix a logic error in uipc_ready_scan(). When processing the last record in a socket buffer, take care to avoid a NULL pointer dereference when advancing the record iterator. Reported by: syzbot+6a689cc9c27bd2652...@syzkaller.appspotmail.com Fixes: r359778 MFC after: 1 week Sponsored by: The FreeBSD Foundation Modified: head/sys/kern/uipc_usrreq.c Modified: head/sys/kern/uipc_usrreq.c ============================================================================== --- head/sys/kern/uipc_usrreq.c Wed Jul 29 23:59:35 2020 (r363681) +++ head/sys/kern/uipc_usrreq.c Thu Jul 30 00:52:37 2020 (r363682) @@ -1279,7 +1279,8 @@ uipc_ready_scan(struct socket *so, struct mbuf *m, int mb = mb->m_next; if (mb == NULL) { mb = n; - n = mb->m_nextpkt; + if (mb != NULL) + n = mb->m_nextpkt; } } } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"