From 6468b6b23e08d9bd02c8cb74ec0ff389ed74c3bb Mon Sep 17 00:00:00 2001 From: "Alexander V. Chernikov" Date: Sun, 15 Jan 2023 15:10:48 +0000 Subject: [PATCH] nd6: fix panic in lltable_drop_entry_queue() nd6_resolve_slow() can be called without mbuf. If the LLE entry is not reachable, nd6_resolve_slow() will add this NULL mbuf to the holdchain via lltable_append_entry_queue, which will "append" NULL to the end of the queue (effectively no-op) and bump la_numhold value. When this entry gets freed, the kernel will panic due to the inconsistency between the amount of mbufs in the queue and the value of la_numhold. Fix the panic by checking of mbuf is not NULL prior to inserting it into the holdchain. Reported by: kib MFC after: 3 days --- sys/netinet6/nd6.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index be881b6291a..de35127bd17 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -2369,7 +2369,6 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m, struct in6_addr *psrc, src; int send_ns, ll_len; char *lladdr; - size_t dropped; NET_EPOCH_ASSERT(); @@ -2436,8 +2435,12 @@ nd6_resolve_slow(struct ifnet *ifp, int family, int flags, struct mbuf *m, * packet queue in the mbuf. When it exceeds nd6_maxqueuelen, * the oldest packet in the queue will be removed. */ - dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen); - ICMP6STAT_ADD(icp6s_dropped, dropped); + if (m != NULL) { + size_t dropped; + + dropped = lltable_append_entry_queue(lle, m, V_nd6_maxqueuelen); + ICMP6STAT_ADD(icp6s_dropped, dropped); + } /* * If there has been no NS for the neighbor after entering the