diff options
| author |   mpi <mpi@openbsd.org> | 2016-09-04 17:18:56 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2016-09-04 17:18:56 +0000 |
| commit | 0fbf66b1d6f6fdaed2e29ea1b448ea3cb4c4a34a (patch) | |
| tree | 114f4a6e91d3b9d821f43081e13f87c7ebb9f4e8 | |
| parent | Expand DECLARE_ASN1_.*FUNCTIONS macros. (diff) | |
| download | wireguard-openbsd-0fbf66b1d6f6fdaed2e29ea1b448ea3cb4c4a34a.tar.xz wireguard-openbsd-0fbf66b1d6f6fdaed2e29ea1b448ea3cb4c4a34a.zip | |
Prevent a NULL derefernce in ip_output().
A race can happen if a task, like the watchog, sleeps too long keeping
an ifp reference while the interface is detached. In this case a TCP
timer will try to send packets with a cached route. Since the ifp is
being detached if_get(9) returns NULL.
Found the hardway by awolk@.
ok bluhm@
| -rw-r--r-- | sys/netinet/ip_output.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 4aa06de5f8e..2c0f416af9e 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.326 2016/08/15 11:35:25 dlg Exp $ */ +/* $OpenBSD: ip_output.c,v 1.327 2016/09/04 17:18:56 mpi Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -214,6 +214,10 @@ reroute: ifp = if_get(lo0ifidx); else ifp = if_get(ro->ro_rt->rt_ifidx); + if (ifp == NULL) { + error = EHOSTUNREACH; + goto bad; + } if ((mtu = ro->ro_rt->rt_rmx.rmx_mtu) == 0) mtu = ifp->if_mtu; |