CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2019/09/04 10:11:58
Modified files:
sys/netinet6 : ip6_mroute.c
Log message:
Fix a route use after free in IPv6 multicast route. Move the
mrt6_mcast6_del() out of the rtable_walk(). This avoids recursion
to prevent stack overflow. Also it allows freeing the route outside
of the walk. Now mrt6_mcast_del() frees the route only when it is
deleted from the routing table. If that fails, it must not be
freed. After the route is returned by mf6c_find(), it is reference
counted. Then we need a rtfree(), but not in the other case.
Name mrt6_mcast_add() and mrt6_mcast_del() consistently.
Move rt_timer_remove_all() into mrt6_mcast_del().
Reported-by: syzbot+af7d510593d74c825...@syzkaller.appspotmail.com
OK mpi@
