Module Name: src
Committed By: martin
Date: Sun Apr 1 09:22:37 UTC 2018
Modified Files:
src/sys/netinet6 [netbsd-6]: raw_ip6.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1541):
sys/netinet6/raw_ip6.c: revision 1.161
Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.
To generate a diff of this commit:
cvs rdiff -u -r1.109.2.1 -r1.109.2.2 src/sys/netinet6/raw_ip6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.109.2.1 src/sys/netinet6/raw_ip6.c:1.109.2.2
--- src/sys/netinet6/raw_ip6.c:1.109.2.1 Tue Jan 30 18:44:22 2018
+++ src/sys/netinet6/raw_ip6.c Sun Apr 1 09:22:37 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $ */
+/* $NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.1 2018/01/30 18:44:22 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109.2.2 2018/04/01 09:22:37 martin Exp $");
#include "opt_ipsec.h"
@@ -502,6 +502,7 @@ rip6_output(struct mbuf *m, struct socke
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
in6p->in6p_cksum != -1) {
+ const uint8_t nxt = ip6->ip6_nxt;
int off;
u_int16_t sum;
@@ -523,7 +524,7 @@ rip6_output(struct mbuf *m, struct socke
error = ENOBUFS;
goto bad;
}
- sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+ sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum,
M_DONTWAIT);
if (m == NULL) {
