On Fri, Aug 23, 2013 at 12:47:10PM -0700, Loganaden Velvindron wrote:
> Hi,
>
> >From NetBSD:
>
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/udp6_output.c?rev=1.41&content-type=text/x-cvsweb-markup&only_with_tag=MAIN
> "
> Under some circumstances, udp6_output() would call ip6_clearpktopts()
> with an uninitialized struct ip6_pktopts on the stack, opt.
> ip6_clearpktopts(&opt, ...) could dereference dangling pointers,
> leading to memory corruption or a crash. Now, udp6_output() calls
> ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to
> Clement LECIGNE for reporting this bug."
>
> I checked openbsd source code and it seems that the issue is present
> as well.
Yes, the release path looks wrong. OK bluhm@
>
> Tentative diff:
>
> Index: udp6_output.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/udp6_output.c,v
> retrieving revision 1.19
> diff -u -p -r1.19 udp6_output.c
> --- udp6_output.c 28 Mar 2013 16:45:16 -0000 1.19
> +++ udp6_output.c 23 Aug 2013 19:30:36 -0000
> @@ -119,7 +119,8 @@ udp6_output(struct in6pcb *in6p, struct
> struct in6_addr *laddr, *faddr;
> u_short fport;
> int error = 0;
> - struct ip6_pktopts *optp, opt;
> + struct ip6_pktopts *optp = NULL;
> + struct ip6_pktopts opt;
> int priv;
> int af, hlen;
> int flags;
> @@ -284,7 +285,8 @@ release:
>
> releaseopt:
> if (control) {
> - ip6_clearpktopts(&opt, -1);
> + if (optp == &opt)
> + ip6_clearpktopts(&opt, -1);
> m_freem(control);
> }
> return (error);
