Module Name: src Committed By: martin Date: Sun Apr 1 09:14:45 UTC 2018
Modified Files: src/sys/netinet6 [netbsd-7-0]: raw_ip6.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1591): sys/netinet6/raw_ip6.c: revision 1.161 Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so it is wrong to read ip6->ip6_nxt. To generate a diff of this commit: cvs rdiff -u -r1.136.6.1 -r1.136.6.2 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.136.6.1 src/sys/netinet6/raw_ip6.c:1.136.6.2 --- src/sys/netinet6/raw_ip6.c:1.136.6.1 Tue Jan 30 18:31:53 2018 +++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:14:45 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $"); #include "opt_ipsec.h" @@ -476,6 +476,7 @@ rip6_output(struct mbuf *m, struct socke if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 || in6p->in6p_cksum != -1) { + const uint8_t nxt = ip6->ip6_nxt; int off; u_int16_t sum; @@ -497,7 +498,7 @@ rip6_output(struct mbuf *m, struct socke error = ENOBUFS; goto bad; } - sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); + sum = in6_cksum(m, nxt, sizeof(*ip6), plen); m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum, M_DONTWAIT); if (m == NULL) {