It was possible to leak the control mbuf in raw ip user request

with sendmsg(2) and MSG_OOB.  Sync the code in udp, rip, and
rip6_usrreq.  Add an inp NULL check in rip6_usrreq for consistency.
OK benno@ mpi@

1 files changed, 11 insertions, 2 deletions

diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index e89c21e403c..80fbcc1a393 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip6.c,v 1.128 2018/07/04 02:08:13 anton Exp $	*/
+/*	$OpenBSD: raw_ip6.c,v 1.129 2018/07/05 21:16:52 bluhm Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $	*/
 
 /*
@@ -544,7 +544,7 @@ int
 rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 	struct mbuf *control, struct proc *p)
 {
-	struct inpcb *in6p = sotoinpcb(so);
+	struct inpcb *in6p;
 	int error = 0;
 
 	if (req == PRU_CONTROL)
@@ -553,6 +553,12 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 
 	soassertlocked(so);
 
+	in6p = sotoinpcb(so);
+	if (in6p == NULL) {
+		error = EINVAL;
+		goto release;
+	}
+
 	switch (req) {
 	case PRU_DISCONNECT:
 		if ((so->so_state & SS_ISCONNECTED) == 0) {
@@ -654,6 +660,7 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 			dst.sin6_scope_id = addr6->sin6_scope_id;
 		}
 		error = rip6_output(m, so, sin6tosa(&dst), control);
+		control = NULL;
 		m = NULL;
 		break;
 	}
@@ -687,6 +694,8 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam,
 	default:
 		panic("rip6_usrreq");
 	}
+release:
+	m_freem(control);
 	m_freem(m);
 	return (error);
 }