CVS commit: [netbsd-5] src/sys/netinet6

Fri, 16 Jul 2010 12:13:29 -0700 

Module Name:    src
Committed By:   riz
Date:           Fri Jul 16 19:12:53 UTC 2010

Modified Files:
        src/sys/netinet6 [netbsd-5]: udp6_output.c

Log Message:
Pull up following revision(s) (requested by dyoung in ticket #1428):
        sys/netinet6/udp6_output.c: revision 1.41
Under some circumstances, udp6_output() would call ip6_clearpktopts()
with an uninitialized struct ip6_pktopts on the stack, opt.
ip6_clearpktopts(&opt, ...) could dereference dangling pointers,
leading to memory corruption or a crash.  Now, udp6_output() calls
ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to
Clement LECIGNE for reporting this bug.
Fix a potential memory leak: it is udp6_output()'s responsibility
to free its mbuf arguments on error.  In the unlikely event that
sa6_embedscope() failed, udp6_output() would not free its mbuf
arguments.
I will ask for this to be pulled up to -4, -5, and -5-0.


To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.37.4.1 src/sys/netinet6/udp6_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/udp6_output.c
diff -u src/sys/netinet6/udp6_output.c:1.37 src/sys/netinet6/udp6_output.c:1.37.4.1
--- src/sys/netinet6/udp6_output.c:1.37	Fri Oct 24 22:30:32 2008
+++ src/sys/netinet6/udp6_output.c	Fri Jul 16 19:12:53 2010
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp6_output.c,v 1.37 2008/10/24 22:30:32 dyoung Exp $	*/
+/*	$NetBSD: udp6_output.c,v 1.37.4.1 2010/07/16 19:12:53 riz Exp $	*/
 /*	$KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.37 2008/10/24 22:30:32 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.37.4.1 2010/07/16 19:12:53 riz Exp $");
 
 #include "opt_inet.h"
 
@@ -126,7 +126,8 @@
 	int scope_ambiguous = 0;
 	u_int16_t fport;
 	int error = 0;
-	struct ip6_pktopts *optp, opt;
+	struct ip6_pktopts *optp = NULL;
+	struct ip6_pktopts opt;
 	int priv;
 	int af = AF_INET6, hlen = sizeof(struct ip6_hdr);
 #ifdef INET
@@ -167,7 +168,7 @@
 		if (sin6->sin6_scope_id == 0 && !ip6_use_defzone)
 			scope_ambiguous = 1;
 		if ((error = sa6_embedscope(sin6, ip6_use_defzone)) != 0)
-			return (error);
+			goto release;
 	}
 
 	if (control) {
@@ -408,7 +409,8 @@
 
 releaseopt:
 	if (control) {
-		ip6_clearpktopts(&opt, -1);
+		if (optp == &opt)
+			ip6_clearpktopts(&opt, -1);
 		m_freem(control);
 	}
 	return (error);

Reply via email to