git: f9fc93690aef - main - sys/netinet6: fix memory corruption in in6_ifadd
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 02 Oct 2025 14:25:34 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=f9fc93690aef7a56f62a051de6231fe2af699728
commit f9fc93690aef7a56f62a051de6231fe2af699728
Author: Mateusz Guzik <mjg@netgate.com>
AuthorDate: 2025-09-29 15:01:53 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-10-02 13:33:17 +0000
sys/netinet6: fix memory corruption in in6_ifadd
The routine allocates the wrong size and then passes it to in6_get_ifid.
At the same time it violates invariants by issuing malloc with M_WAITOK
while within net epoch section.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netinet6/nd6_rtr.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c
index 78dc55dd292f..f9684b085767 100644
--- a/sys/netinet6/nd6_rtr.c
+++ b/sys/netinet6/nd6_rtr.c
@@ -1243,9 +1243,8 @@ in6_ifadd(struct nd_prefixctl *pr, int mcast)
/* No suitable LL address, get the ifid directly */
if (ifid_addr == NULL) {
- struct in6_addr taddr;
- ifa = ifa_alloc(sizeof(taddr), M_WAITOK);
- if (ifa) {
+ ifa = ifa_alloc(sizeof(struct in6_ifaddr), M_NOWAIT);
+ if (ifa != NULL) {
ib = (struct in6_ifaddr *)ifa;
ifid_addr = &ib->ia_addr.sin6_addr;
if(in6_get_ifid(ifp, NULL, ifid_addr) != 0) {