The branch stable/12 has been updated by vangyzen: URL: https://cgit.FreeBSD.org/src/commit/?id=8fa89d8b190472778ed07db9d8937cb1ce7b44fc
commit 8fa89d8b190472778ed07db9d8937cb1ce7b44fc Author: Eric van Gyzen <[email protected]> AuthorDate: 2023-05-23 09:46:42 +0000 Commit: Eric van Gyzen <[email protected]> CommitDate: 2023-05-30 12:10:03 +0000 Fix NULL deref in ip_output during route change When changing the interface address during a route change, the rtentry's rt_ifa will be NULL briefly. Some parts of ip_output do not handle that NULL. In such case, re-validate the rtentry. That validation does not check the rt_ifa, but it does lock the route, which will synchronize with rtrequest1_fib_change. I would prefer to leave the rt_ifa pointer intact during the route change, but ip6_output is not fully protected by the net_epoch, so that could allow a use-after-free. ip6_output already handles a NULL rt_ifa. This is a direct commit to stable/12 because later branches have nexthop and do not appear to have this bug. PR: 271573 Reported by: [email protected] Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D40236 --- sys/netinet/ip_output.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 399afa184999..93b41376f3c2 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -393,6 +393,10 @@ again: goto bad; } ia = ifatoia(rte->rt_ifa); + if (ia == NULL) { + /* race with rtrequest1_fib_change */ + goto again; + } ifp = rte->rt_ifp; counter_u64_add(rte->rt_pksent, 1); rt_update_ro_flags(ro);
