svn commit: r332841 - stable/11/sys/netinet6

[Jonathan T. Looney]

Author: jtl
Date: Fri Apr 20 20:16:42 2018
New Revision: 332841
URL: https://svnweb.freebsd.org/changeset/base/332841

Log:
  MFC r319215:
    Fix two places in the ICMP6 code where we could dereference a NULL pointer
    in the icmp6_input() function.
  
    When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
    set nicmp6 and n to NULL. Therefore, we should condition our modification
    to nicmp6 on n being not NULL.
  
    And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
    m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
    line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
    discontinue further processing and follow the same path as when m_gethdr()
    fails.
  
  Reported by:	clang static analyzer
  Sponsored by:	Netflix, Inc.

Modified:
  stable/11/sys/netinet6/icmp6.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet6/icmp6.c
==============================================================================
--- stable/11/sys/netinet6/icmp6.c	Fri Apr 20 20:09:42 2018	(r332840)
+++ stable/11/sys/netinet6/icmp6.c	Fri Apr 20 20:16:42 2018	(r332841)
@@ -596,9 +596,9 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 			    sizeof(*nicmp6));
 			noff = off;
 		}
-		nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
-		nicmp6->icmp6_code = 0;
 		if (n) {
+			nicmp6->icmp6_type = ICMP6_ECHO_REPLY;
+			nicmp6->icmp6_code = 0;
 			ICMP6STAT_INC(icp6s_reflect);
 			ICMP6STAT_INC(icp6s_outhist[ICMP6_ECHO_REPLY]);
 			icmp6_reflect(n, noff);
@@ -688,6 +688,7 @@ icmp6_input(struct mbuf **mp, int *offp, int proto)
 				 */
 				m_free(n);
 				n = NULL;
+				break;
 			}
 			maxhlen = M_TRAILINGSPACE(n) -
 			    (sizeof(*nip6) + sizeof(*nicmp6) + 4);