CVS commit: src/sys/netinet

Mon, 21 Nov 2022 01:51:22 -0800 

Module Name:    src
Committed By:   knakahara
Date:           Mon Nov 21 09:51:13 UTC 2022

Modified Files:
        src/sys/netinet: ip_output.c

Log Message:
Fix panic on packet sending via a route with rt_ifa of AF_LINK.

A route with rt_ifa of AF_LINK can be set by some routing daemons when
it adds a route that has a gateway of AF_LINK.  If there is no address on
a target interface, the kernel sets an AF_LINK address of the interface to
rt_ifa of the route.  In that case, a variable of a local address in
ip_output (ia) can be NULL and we need more NULL-checks of it.


To generate a diff of this commit:
cvs rdiff -u -r1.323 -r1.324 src/sys/netinet/ip_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/ip_output.c
diff -u src/sys/netinet/ip_output.c:1.323 src/sys/netinet/ip_output.c:1.324
--- src/sys/netinet/ip_output.c:1.323	Fri Nov  4 09:00:58 2022
+++ src/sys/netinet/ip_output.c	Mon Nov 21 09:51:13 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.323 2022/11/04 09:00:58 ozaki-r Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.324 2022/11/21 09:51:13 knakahara Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.323 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.324 2022/11/21 09:51:13 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -531,6 +531,15 @@ ip_output(struct mbuf *m0, struct mbuf *
 	if (in_nullhost(ip->ip_src)) {
 		struct ifaddr *xifa;
 
+		/* If rt_ifa is AF_LINK, ia can be NULL. */
+		if (ia == NULL) {
+			KASSERTMSG(rt->rt_ifa->ifa_addr->sa_family == AF_LINK,
+			    "sa_family=%d", rt->rt_ifa->ifa_addr->sa_family);
+			IP_STATINC(IP_STAT_NOROUTE);
+			error = EHOSTUNREACH;
+			goto bad;
+		}
+
 		xifa = &ia->ia_ifa;
 		if (xifa->ifa_getifa != NULL) {
 			ia4_release(ia, &psref_ia);
@@ -582,6 +591,15 @@ ip_output(struct mbuf *m0, struct mbuf *
 
 sendit:
 	if ((flags & (IP_FORWARDING|IP_NOIPNEWID)) == 0) {
+		/* If rt_ifa is AF_LINK, ia can be NULL. */
+		if (ia == NULL) {
+			KASSERTMSG(rt->rt_ifa->ifa_addr->sa_family == AF_LINK,
+			    "sa_family=%d", rt->rt_ifa->ifa_addr->sa_family);
+			IP_STATINC(IP_STAT_NOROUTE);
+			error = EHOSTUNREACH;
+			goto bad;
+		}
+
 		if (m->m_pkthdr.len < IP_MINFRAGSIZE) {
 			ip->ip_id = 0;
 		} else if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {

Reply via email to