diff options
| author |   brad <brad@openbsd.org> | 2005-10-22 06:38:54 +0000 |
|---|---|---|
| committer | brad <brad@openbsd.org> | 2005-10-22 06:38:54 +0000 |
| commit | db004b2c9bb5c0279f9b2d268b69e9481f0cf972 (patch) | |
| tree | 0b0c201bcb2a58cee17738a23f4a85ad26435616 | |
| parent | tidy up dmesg printing. (diff) | |
| download | wireguard-openbsd-db004b2c9bb5c0279f9b2d268b69e9481f0cf972.tar.xz wireguard-openbsd-db004b2c9bb5c0279f9b2d268b69e9481f0cf972.zip | |
In icmp6_redirect_output(), sip6 is initialised to point to the data area of
m0. But m0 may be freed later, so trying to use sip6 at the end of this
function is wrong. My guess is that we want to reference the data area
of m (the mbuf about to be send) instead at this point.
Fix a panic on Xen (where a data area of a mbuf may be unmapped when the
mbuf is freed), and probably potential data/pool corruption in other cases.
From bouyer NetBSD
ok deraadt@
| -rw-r--r-- | sys/netinet6/icmp6.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 746ec6b2fe0..047376ede3d 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: icmp6.c,v 1.84 2005/01/17 10:18:03 itojun Exp $ */ +/* $OpenBSD: icmp6.c,v 1.85 2005/10/22 06:38:54 brad Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -2607,6 +2607,7 @@ noredhdropt: m0 = NULL; } + sip6 = mtod(m, struct ip6_hdr *); if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_src)) sip6->ip6_src.s6_addr16[1] = 0; if (IN6_IS_ADDR_LINKLOCAL(&sip6->ip6_dst)) |