diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-10-28 17:27:36 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-10-28 17:27:36 +0000 |
| commit | 72a75968c4791013c664d4e6bd7320bf39fd0660 (patch) | |
| tree | 5ea2bbce064319da2cde293dc721b7ecbb64dbf7 /sys/netinet | |
| parent | 6c3611d5e3969024048bb96fa98fceea1fef323f (diff) | |
When generating the ICMP6 response to an IPv6 packet, the kernel
could use mbuf memory after freeing it. If m_pullup() allocates a
new mbuf, the caller uses the old pointer.
found and reported by Maxime Villard, thanks
OK claudio@ markus@ denis@
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/icmp6.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/icmp6.h b/sys/netinet/icmp6.h index ce28ea9cb10..468b45ca43f 100644 --- a/sys/netinet/icmp6.h +++ b/sys/netinet/icmp6.h @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.h,v 1.49 2020/09/01 01:53:13 gnezdo Exp $ */ +/* $OpenBSD: icmp6.h,v 1.50 2020/10/28 17:27:35 bluhm Exp $ */ /* $KAME: icmp6.h,v 1.84 2003/04/23 10:26:51 itojun Exp $ */ /* @@ -594,7 +594,7 @@ struct mbuf *icmp6_do_error(struct mbuf *, int, int, int); void icmp6_error(struct mbuf *, int, int, int); int icmp6_input(struct mbuf **, int *, int, int); void icmp6_fasttimo(void); -int icmp6_reflect(struct mbuf *, size_t, struct sockaddr *); +int icmp6_reflect(struct mbuf **, size_t, struct sockaddr *); void icmp6_prepare(struct mbuf *); void icmp6_redirect_input(struct mbuf *, int); void icmp6_redirect_output(struct mbuf *, struct rtentry *); |