upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-04 14:26:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix IPv6 socket option race condition and use after free.

Browse source 
Approved by:	so
Security:	FreeBSD-SA-20:20.ipv6
Security:	CVE-2020-7457
This commit is contained in:
gordon 2020-07-08 20:11:40 +00:00 committed by Franco Fichtner
parent 00cf6fb724
commit fd64697027
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
sys/netinet6/ip6_output.c
View file

@ -1484,8 +1484,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
error = soopt_mcopyin(sopt, m); /* XXX */
if (error != 0)
break;
INP_WLOCK(in6p);
error = ip6_pcbopts(&in6p->in6p_outputopts,
m, so, sopt);
INP_WUNLOCK(in6p);
m_freem(m); /* XXX */
break;
}
@ -2227,8 +2229,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *m,
printf("ip6_pcbopts: all specified options are cleared.\n");
#endif
ip6_clearpktopts(opt, -1);
} else
opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
} else {
opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
if (opt == NULL)
return (ENOMEM);
}
*pktopt = NULL;
if (!m || m->m_len == 0) {