remote use-after-free in icmp6
Marek Zarychta
zarychtam at plan-b.pwste.edu.pl
Tue Nov 10 16:59:15 UTC 2020
W dniu 05.11.2020 o 01:41, mike tancsa pisze:
> Hi,
>
> Is this an issue in HEAD only ? Or is it something that needs to be
> MFC'd ?
>
> ---Mike
It has been MFCed to 12-STABLE with r367402[1].
What about 11-STABLE users? Should they be worried about missing MFC as
well or ignore the issue as non-exploitable on their systems?
[1]
https://lists.freebsd.org/pipermail/svn-src-all/2020-November/204977.html
--
Marek Zarychta
>
> On 10/28/2020 4:27 PM, Alexander V. Chernikov wrote:
>> 28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro at ipfw.ru>:
>>> 28.10.2020, 18:34, "Maxime Villard" <max at m00nbsd.net>:
>>>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when
>>>> iterating over the next IPv6 options the kernel can free that mbuf, meaning
>>>> the dereferences of 'finaldst' hit a freed buffer.
>> [sorry for reposting, plaintext this time]
>>> Fixed in r367114, thanks for reporting!
>>>> Note that this is triggerable without specific conditions, over just ICMPv6.
>>>>
>>>> Maxime
>>>> _______________________________________________
>>>> freebsd-net at freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list