svn commit: r360982 - head/sys/netinet6
Andrew Gallatin
gallatin at FreeBSD.org
Tue May 12 17:18:45 UTC 2020
Author: gallatin
Date: Tue May 12 17:18:44 2020
New Revision: 360982
URL: https://svnweb.freebsd.org/changeset/base/360982
Log:
IPv6: Fix a panic in the nd6 code with unmapped mbufs.
If the neighbor entry for an IPv6 TCP session using unmapped
mbufs times out, IPv6 will send an icmp6 dest. unreachable
message. In doing this, it will try to do a software checksum
on the reflected packet. If this is a TCP session using unmapped
mbufs, then there will be a kernel panic.
To fix this, just free packets with unmapped mbufs, rather
than sending the icmp.
Reviewed by: np, rrs
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D24821
Modified:
head/sys/netinet6/nd6.c
Modified: head/sys/netinet6/nd6.c
==============================================================================
--- head/sys/netinet6/nd6.c Tue May 12 17:07:28 2020 (r360981)
+++ head/sys/netinet6/nd6.c Tue May 12 17:18:44 2020 (r360982)
@@ -821,9 +821,27 @@ nd6_llinfo_timer(void *arg)
clear_llinfo_pqueue(ln);
}
nd6_free(&ln, 0);
- if (m != NULL)
- icmp6_error2(m, ICMP6_DST_UNREACH,
- ICMP6_DST_UNREACH_ADDR, 0, ifp);
+ if (m != NULL) {
+ struct mbuf *n = m;
+
+ /*
+ * if there are any ummapped mbufs, we
+ * must free them, rather than using
+ * them for an ICMP, as they cannot be
+ * checksummed.
+ */
+ while ((n = n->m_next) != NULL) {
+ if (n->m_flags & M_EXTPG)
+ break;
+ }
+ if (n != NULL) {
+ m_freem(m);
+ m = NULL;
+ } else {
+ icmp6_error2(m, ICMP6_DST_UNREACH,
+ ICMP6_DST_UNREACH_ADDR, 0, ifp);
+ }
+ }
}
break;
case ND6_LLINFO_REACHABLE:
More information about the svn-src-head
mailing list