diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-04 17:58:47 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-04 17:58:47 +0000 |
| commit | 7f974b78cee07c7d1db67bc826cf636862318b39 (patch) | |
| tree | f49ea68d299248cdd9a006b31d8780017ab37014 /sys/netinet6/icmp6.c | |
| parent | cc09ef627d2e8a7015f53b5c91a6ef7cf0f5cfe2 (diff) | |
If m is not a continuous mbuf cluster, m_pullup() in pr_input may
change the pointer. Then *mp keeps the invalid pointer and it might
be used. Fix the potential use after free and also reset *mp in
other places to have less dangling pointers to freed mbufs.
OK mpi@ mikeb@
Diffstat (limited to 'sys/netinet6/icmp6.c')
| -rw-r--r-- | sys/netinet6/icmp6.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 2464db14bf8..e9cb269a197 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.207 2017/04/19 15:44:45 bluhm Exp $ */ +/* $OpenBSD: icmp6.c,v 1.208 2017/05/04 17:58:46 bluhm Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -533,7 +533,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto, int af) if ((n = m_copym(m, 0, M_COPYALL, M_DONTWAIT)) == NULL) { /* Give up local */ n = m; - m = NULL; + m = *mp = NULL; goto deliverecho; } /* @@ -567,7 +567,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto, int af) /* Give up local */ m_freem(n0); n = m; - m = NULL; + m = *mp = NULL; goto deliverecho; } M_MOVE_PKTHDR(n, n0); |