svn commit: r338831 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Thu Sep 20 15:45:54 UTC 2018
Author: bz
Date: Thu Sep 20 15:45:53 2018
New Revision: 338831
URL: https://svnweb.freebsd.org/changeset/base/338831
Log:
In icmp6_rip6_input(), once we have a lock, make sure the inp is
not freed. This can happen since the list traversal and locking
was converted to epoch(9). If the inp is marked "freed", skip it.
This prevents a NULL pointer deref panic in ip6_savecontrol_v4()
trying to access the socket hanging off the inp, which was gone
by the time we got there.
Reported by: andrew
Tested by: andrew
Approved by: re (gjb)
Modified:
head/sys/netinet6/icmp6.c
Modified: head/sys/netinet6/icmp6.c
==============================================================================
--- head/sys/netinet6/icmp6.c Thu Sep 20 15:45:12 2018 (r338830)
+++ head/sys/netinet6/icmp6.c Thu Sep 20 15:45:53 2018 (r338831)
@@ -1936,6 +1936,10 @@ icmp6_rip6_input(struct mbuf **mp, int off)
!IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src))
continue;
INP_RLOCK(in6p);
+ if (__predict_false(in6p->inp_flags2 & INP_FREED)) {
+ INP_RUNLOCK(in6p);
+ continue;
+ }
if (ICMP6_FILTER_WILLBLOCK(icmp6->icmp6_type,
in6p->in6p_icmp6filt)) {
INP_RUNLOCK(in6p);
More information about the svn-src-all
mailing list