upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-18 18:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

nd6: fix panic in lltable_drop_entry_queue()

Browse source 
nd6_resolve_slow() can be called without mbuf. If the LLE entry
 is not reachable, nd6_resolve_slow() will add this NULL mbuf to
 the holdchain via lltable_append_entry_queue, which will "append"
 NULL to the end of the queue (effectively no-op) and bump la_numhold
 value. When this entry gets freed, the kernel will panic due to the
 inconsistency between the amount of mbufs in the queue and the value
 of la_numhold.

Fix the panic by checking of mbuf is not NULL prior to inserting it
 into the holdchain.

Reported by:	kib
MFC after:	3 days
This commit is contained in:
Alexander V. Chernikov 2023-01-15 15:10:48 +00:00
parent b0286ee504
commit 6468b6b23e
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sys/netinet6/nd6.c
View file

@ -2369,7 +2369,6 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
struct in6_addr *psrc, src;
int send_ns, ll_len;
char *lladdr;
size_t dropped;
NET_EPOCH_ASSERT();
@ -2436,8 +2435,12 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m,
* packet queue in the mbuf. When it exceeds nd6_maxqueuelen,
* the oldest packet in the queue will be removed.
*/
dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
ICMP6STAT_ADD(icp6s_dropped, dropped);
if (m != NULL) {
size_t dropped;
dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen);
ICMP6STAT_ADD(icp6s_dropped, dropped);
}
/*
* If there has been no NS for the neighbor after entering the