Module Name: src Committed By: riz Date: Fri Jul 16 19:12:53 UTC 2010
Modified Files: src/sys/netinet6 [netbsd-5]: udp6_output.c Log Message: Pull up following revision(s) (requested by dyoung in ticket #1428): sys/netinet6/udp6_output.c: revision 1.41 Under some circumstances, udp6_output() would call ip6_clearpktopts() with an uninitialized struct ip6_pktopts on the stack, opt. ip6_clearpktopts(&opt, ...) could dereference dangling pointers, leading to memory corruption or a crash. Now, udp6_output() calls ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to Clement LECIGNE for reporting this bug. Fix a potential memory leak: it is udp6_output()'s responsibility to free its mbuf arguments on error. In the unlikely event that sa6_embedscope() failed, udp6_output() would not free its mbuf arguments. I will ask for this to be pulled up to -4, -5, and -5-0. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.37.4.1 src/sys/netinet6/udp6_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/udp6_output.c diff -u src/sys/netinet6/udp6_output.c:1.37 src/sys/netinet6/udp6_output.c:1.37.4.1 --- src/sys/netinet6/udp6_output.c:1.37 Fri Oct 24 22:30:32 2008 +++ src/sys/netinet6/udp6_output.c Fri Jul 16 19:12:53 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: udp6_output.c,v 1.37 2008/10/24 22:30:32 dyoung Exp $ */ +/* $NetBSD: udp6_output.c,v 1.37.4.1 2010/07/16 19:12:53 riz Exp $ */ /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.37 2008/10/24 22:30:32 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.37.4.1 2010/07/16 19:12:53 riz Exp $"); #include "opt_inet.h" @@ -126,7 +126,8 @@ int scope_ambiguous = 0; u_int16_t fport; int error = 0; - struct ip6_pktopts *optp, opt; + struct ip6_pktopts *optp = NULL; + struct ip6_pktopts opt; int priv; int af = AF_INET6, hlen = sizeof(struct ip6_hdr); #ifdef INET @@ -167,7 +168,7 @@ if (sin6->sin6_scope_id == 0 && !ip6_use_defzone) scope_ambiguous = 1; if ((error = sa6_embedscope(sin6, ip6_use_defzone)) != 0) - return (error); + goto release; } if (control) { @@ -408,7 +409,8 @@ releaseopt: if (control) { - ip6_clearpktopts(&opt, -1); + if (optp == &opt) + ip6_clearpktopts(&opt, -1); m_freem(control); } return (error);