diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-12-13 14:30:17 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2021-12-13 14:30:17 +0000 |
| commit | eaf5f4103506feda446d96464aa4609b5543552e (patch) | |
| tree | 2970841e0a4b319f735e1764cdf7c7f6ee5397cd /sys | |
| parent | 49c35d9f7026606023b67852f16caaa7ebf7e475 (diff) | |
nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated().
It checks dp in two of three places. One check got lost in revision
1.83. Do a dp == NULL once at the beginning.
OK jsg@
Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet6/nd6_nbr.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index b4ffd7a009d..8d6bf3841b8 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6_nbr.c,v 1.129 2019/11/29 16:41:02 nayden Exp $ */ +/* $OpenBSD: nd6_nbr.c,v 1.130 2021/12/13 14:30:16 bluhm Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -1327,12 +1327,16 @@ nd6_dad_ns_input(struct ifaddr *ifa) duplicate = 0; dp = nd6_dad_find(ifa); + if (dp == NULL) { + log(LOG_ERR, "%s: DAD structure not found\n", __func__); + return; + } /* * if I'm yet to start DAD, someone else started using this address * first. I have a duplicate and you win. */ - if (!dp || dp->dad_ns_ocount == 0) + if (dp->dad_ns_ocount == 0) duplicate++; /* XXX more checks for loopback situation - see nd6_dad_timer too */ @@ -1345,8 +1349,7 @@ nd6_dad_ns_input(struct ifaddr *ifa) * not sure if I got a duplicate. * increment ns count and see what happens. */ - if (dp) - dp->dad_ns_icount++; + dp->dad_ns_icount++; } } |