Author: markj Date: Thu Jul 30 17:43:23 2020 New Revision: 363710 URL: https://svnweb.freebsd.org/changeset/base/363710
Log: ip6_output(): Check the return value of in6_getlinkifnet(). If the destination address has an embedded scope ID, make sure that it corresponds to a valid ifnet before proceeding. Otherwise a sendto() with a bogus link-local address can trigger a NULL pointer dereference. Reported by: syzkaller Reviewed by: ae Fixes: r358572 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25887 Modified: head/sys/netinet6/ip6_output.c Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Thu Jul 30 17:18:42 2020 (r363709) +++ head/sys/netinet6/ip6_output.c Thu Jul 30 17:43:23 2020 (r363710) @@ -761,6 +761,10 @@ again: IN6_IS_ADDR_MC_NODELOCAL(&dst_sa.sin6_addr)) { if (scopeid > 0) { ifp = in6_getlinkifnet(scopeid); + if (ifp == NULL) { + error = EHOSTUNREACH; + goto bad; + } *dst = dst_sa; /* XXX */ goto nonh6lookup; } _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"