On Fri, Feb 12, 2021 at 12:03:49PM +0000, Ricardo Mestre wrote: > Hi, > > This was reported on CID 1501718, ifp starts as NULL and then might be > deref'ed. > > The question is does the below make any sense to solve it since I don't know > what I'm doing? :) > > What do you net gurus say? > > Index: pf.c > =================================================================== > RCS file: /cvs/src/sys/net/pf.c,v > retrieving revision 1.1108 > diff -u -p -u -r1.1108 pf.c > --- pf.c 4 Feb 2021 00:55:41 -0000 1.1108 > +++ pf.c 12 Feb 2021 11:52:31 -0000 > @@ -6156,6 +6156,10 @@ pf_route6(struct pf_pdesc *pd, struct pf > dst->sin6_addr = s->rt_addr.v6; > rtableid = m0->m_pkthdr.ph_rtableid; > > + ifp = if_get(rt->rt_ifidx); > + if (ifp == NULL) > + goto bad; > + > if (IN6_IS_SCOPE_EMBED(&dst->sin6_addr)) > dst->sin6_addr.s6_addr16[1] = htons(ifp->if_index); > rt = rtalloc(sin6tosa(dst), RT_RESOLVE, rtableid); > @@ -6168,10 +6172,6 @@ pf_route6(struct pf_pdesc *pd, struct pf > ip6stat_inc(ip6s_noroute); > goto bad; > } > - > - ifp = if_get(rt->rt_ifidx); > - if (ifp == NULL) > - goto bad; > > /* A locally generated packet may have invalid source address. */ > if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
This can't be right. rt is only valid after rtalloc() which is now called afterwards. This code is strange, the scope for the IPv6 address needs to be pulled out of s (pf_state) somehow. Also is the state using embedded or not-embedded scope addresses? Last but not least, I hate IPv6 and their scoped addressing. Worst feature ever. -- :wq Claudio
