remote use-after-free in icmp6
mike tancsa
mike at sentex.net
Thu Nov 5 00:41:03 UTC 2020
Hi,
Is this an issue in HEAD only ? Or is it something that needs to be
MFC'd ?
---Mike
On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote:
> 28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro at ipfw.ru>:
>> 28.10.2020, 18:34, "Maxime Villard" <max at m00nbsd.net>:
>>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when
>>> iterating over the next IPv6 options the kernel can free that mbuf, meaning
>>> the dereferences of 'finaldst' hit a freed buffer.
> [sorry for reposting, plaintext this time]
>> Fixed in r367114, thanks for reporting!
>>> Note that this is triggerable without specific conditions, over just ICMPv6.
>>>
>>> Maxime
>>> _______________________________________________
>>> freebsd-net at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list