Module Name: src Committed By: martin Date: Fri Mar 30 11:43:00 UTC 2018
Modified Files: src/sys/netinet6 [netbsd-8]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #666): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.157.2.2 -r1.157.2.3 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.157.2.2 src/sys/netinet6/raw_ip6.c:1.157.2.3 --- src/sys/netinet6/raw_ip6.c:1.157.2.2 Tue Jan 30 18:21:09 2018 +++ src/sys/netinet6/raw_ip6.c Fri Mar 30 11:42:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -481,6 +481,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -502,7 +503,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum, M_DONTWAIT); if (m == NULL) {