remote use-after-free in icmp6

Maxime Villard max at m00nbsd.net
Wed Oct 28 18:34:41 UTC 2020

Previous message (by thread): Lütfen Not Ediniz! Dünya Yatırımcı Haftası / 16-21 Kasım 2020
Next message (by thread): remote use-after-free in icmp6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when
iterating over the next IPv6 options the kernel can free that mbuf, meaning
the dereferences of 'finaldst' hit a freed buffer.

Note that this is triggerable without specific conditions, over just ICMPv6.

Maxime

Previous message (by thread): Lütfen Not Ediniz! Dünya Yatırımcı Haftası / 16-21 Kasım 2020
Next message (by thread): remote use-after-free in icmp6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the freebsd-net mailing list