svn commit: r360982 - head/sys/netinet6

[Andrew Gallatin]

Author: gallatin
Date: Tue May 12 17:18:44 2020
New Revision: 360982
URL: https://svnweb.freebsd.org/changeset/base/360982

Log:
  IPv6: Fix a panic in the nd6 code with unmapped mbufs.
  
  If the neighbor entry for an IPv6 TCP session using unmapped
  mbufs times out, IPv6 will send an icmp6 dest. unreachable
  message. In doing this, it will try to do a software checksum
  on the reflected packet. If this is a TCP session using unmapped
  mbufs, then there will be a kernel panic.
  
  To fix this, just free packets with unmapped mbufs, rather
  than sending the icmp.
  
  Reviewed by:	np, rrs
  Sponsored by:	Netflix
  Differential Revision:	https://reviews.freebsd.org/D24821

Modified:
  head/sys/netinet6/nd6.c

Modified: head/sys/netinet6/nd6.c
==============================================================================
--- head/sys/netinet6/nd6.c	Tue May 12 17:07:28 2020	(r360981)
+++ head/sys/netinet6/nd6.c	Tue May 12 17:18:44 2020	(r360982)
@@ -821,9 +821,27 @@ nd6_llinfo_timer(void *arg)
 				clear_llinfo_pqueue(ln);
 			}
 			nd6_free(&ln, 0);
-			if (m != NULL)
-				icmp6_error2(m, ICMP6_DST_UNREACH,
-				    ICMP6_DST_UNREACH_ADDR, 0, ifp);
+			if (m != NULL) {
+				struct mbuf *n = m;
+
+				/*
+				 * if there are any ummapped mbufs, we
+				 * must free them, rather than using
+				 * them for an ICMP, as they cannot be
+				 * checksummed.
+				 */
+				while ((n = n->m_next) != NULL) {
+					if (n->m_flags & M_EXTPG)
+						break;
+				}
+				if (n != NULL) {
+					m_freem(m);
+					m = NULL;
+				} else {
+					icmp6_error2(m, ICMP6_DST_UNREACH,
+					    ICMP6_DST_UNREACH_ADDR, 0, ifp);
+				}
+			}
 		}
 		break;
 	case ND6_LLINFO_REACHABLE: