From nobody Wed May 20 15:34:54 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwG62Q8z6dyL4 for ; Wed, 20 May 2026 15:34:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLFwG4bf6z3p1l for ; Wed, 20 May 2026 15:34:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y64HfE7dLz5ceURdj+7o2lyjzoSV8isoaVzN7wCoubU=; b=wyN6GTWtm9CuiYPkZTOLBgtzOjbOWYOzROH+QpbbZS7hzyxb9QSr6yAGuxtDOOVEkW9ZHR UOW8hr+nMZ/959CCl/pv/NJPFh8ebG8e94x52iLxAnq+4v05s6fkPcGnfdr5xgeojt8q0Q B9FtOnCbLgKacx1PPd3zOF1Uf8Q5/xq3ygvkwgH3/SA6d6Mt6zqYNCDutj909z+BZhEAHy l3m+DObXcyfXZuHAsCLnq6WVsF2QSvkIlxUgtdMuxHUGwxXOOyGkdY0BmlSdOiISPOYnPX ZtoHY9LFmHWA7SIMn6lSVbuCN24BZVxOpoiRFHC2m+pV9eEVuxFwAuCD8SiMyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779291294; a=rsa-sha256; cv=none; b=U0J/3uuBnoLHNddLsIsuwPfX7qg261HM18NMSYXkTkU9x+2ClxFinsr2mp40DWYAvZxFyv nwH+xYBSlTMhQtvM3B5l+3MitKhB8EGtMJcCMyxAfrX1NwWkwFb4+cPfrWLTq+RUtjqh2r hcRs5EbMliEKPyUHtHRkNaz1kVXpETH5gKOjUr3JiOcocZ8ZI/JFpXiZXEuC+S29tEsddl ZvcP1QSIfPUaU9z4bxrPQkESffFWtv7Ic69zA7xtH+LRCdjGvtqbynHil5vA8EZuGZL0Ag seHJ9m/bZI4BsEqAhMgECFyAfKNPmn/neOX2+DoKt2+c2yJu+v3JlReXUkSF6Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y64HfE7dLz5ceURdj+7o2lyjzoSV8isoaVzN7wCoubU=; b=sPFanmXC2fNRKU/TpJDJSWe81KmNlk9IDuMr5maJAeet9HT+r2PcvN+d/nx2szWX7A3se+ 2XbpWfLRhe5uTRN/LlugbfA3eA0GCiK1Qq4xBEygyMIv9i0iY7hNZ3u7LAKD40LPWO/lei NR09X/cJFstlI/J1vRpKxBfCpOTDQIQtbc8lMYawsr6bT583o9IWnWy78+vsjW177BRWXH FLNfNDv+zVlKDY5ULzKUPoykx7P0nZpbiqRfHjT04veF6oF0gjoC95Jo4WB2tnZoDOUTGL 4C5poSd18kQp8nUk0hUxwi652Oxfa0/JFxJXAPaieAeaq+F8wl9X175KP10USA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwG4BRwz16Lr for ; Wed, 20 May 2026 15:34:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 440f3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 20 May 2026 15:34:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Teddy Engel From: Cy Schubert Subject: git: cdc40489a7a6 - main - ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cdc40489a7a617b742e295cf9005b3569b45e823 Auto-Submitted: auto-generated Date: Wed, 20 May 2026 15:34:54 +0000 Message-Id: <6a0dd49e.440f3.47744cc0@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=cdc40489a7a617b742e295cf9005b3569b45e823 commit cdc40489a7a617b742e295cf9005b3569b45e823 Author: Teddy Engel AuthorDate: 2026-05-19 21:36:23 +0000 Commit: Cy Schubert CommitDate: 2026-05-20 15:33:43 +0000 ipfilter: Add NULL check for fin_m in ipf_pr_icmp6() Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6 error handling code path. When ipf_checkicmp6matchingstate() calls ipf_makefrip() with a synthesized fr_info_t that has fin_m set to NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6() which would crash when trying to access the mbuf via M_LEN(). PR: 288333 MFC after: 1 week Pull Request: https://github.com/freebsd/freebsd-src/pull/2214 Signed-off-by: Teddy Engel --- sys/netpfil/ipfilter/netinet/fil.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c index 4174fdcc5f58..7b646d0d55db 100644 --- a/sys/netpfil/ipfilter/netinet/fil.c +++ b/sys/netpfil/ipfilter/netinet/fil.c @@ -916,6 +916,9 @@ ipf_pr_icmp6(fr_info_t *fin) if (fin->fin_plen < ICMP6ERR_IPICMPHLEN) break; + if (fin->fin_m == NULL) + break; + if (M_LEN(fin->fin_m) < fin->fin_plen) { if (ipf_coalesce(fin) != 1) return;