git: 0ed72537857b - main - netinet6: perform out-of-bounds check for loX multicast statistics
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Jul 2022 11:44:36 UTC
The branch main has been updated by melifaro:
URL: https://cgit.FreeBSD.org/src/commit/?id=0ed72537857bfb6ac6d19b0852a52288db79b8b0
commit 0ed72537857bfb6ac6d19b0852a52288db79b8b0
Author: Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2022-07-04 20:03:06 +0000
Commit: Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2022-07-05 11:44:30 +0000
netinet6: perform out-of-bounds check for loX multicast statistics
Currently, some per-mbuf multicast statistics is stored in
the per-interface ip6stat.ip6s_m2m[] array of size 32 (IP6S_M2MMAX).
Check that loopback ifindex falls within 0.. IP6S_M2MMAX-1 range to
avoid silent data corruption. The latter cat happen with large
number of VNETs.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D35715
MFC after: 2 weeks
---
sys/netinet6/ip6_input.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index a9bc05f0c19c..6394475d7df8 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -588,12 +588,11 @@ ip6_input(struct mbuf *m)
IP6STAT_INC(ip6s_mext1);
} else {
if (m->m_next) {
- if (m->m_flags & M_LOOP) {
- IP6STAT_INC(ip6s_m2m[V_loif->if_index]);
- } else if (rcvif->if_index < IP6S_M2MMAX)
- IP6STAT_INC(ip6s_m2m[rcvif->if_index]);
- else
- IP6STAT_INC(ip6s_m2m[0]);
+ struct ifnet *ifp = (m->m_flags & M_LOOP) ? V_loif : rcvif;
+ int ifindex = ifp->if_index;
+ if (ifindex >= IP6S_M2MMAX)
+ ifindex = 0;
+ IP6STAT_INC(ip6s_m2m[ifindex]);
} else
IP6STAT_INC(ip6s_m1);
}