git: fc850f4f7d44 - stable/13 - netinet6: perform out-of-bounds check for loX multicast statistics
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 Jan 2023 21:25:18 UTC
The branch stable/13 has been updated by melifaro:
URL: https://cgit.FreeBSD.org/src/commit/?id=fc850f4f7d44201210750329eeb5ca35dd04b58c
commit fc850f4f7d44201210750329eeb5ca35dd04b58c
Author: Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2022-07-04 20:03:06 +0000
Commit: Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-01-13 21:24:10 +0000
netinet6: perform out-of-bounds check for loX multicast statistics
Currently, some per-mbuf multicast statistics is stored in
the per-interface ip6stat.ip6s_m2m[] array of size 32 (IP6S_M2MMAX).
Check that loopback ifindex falls within 0.. IP6S_M2MMAX-1 range to
avoid silent data corruption. The latter cat happen with large
number of VNETs.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D35715
MFC after: 2 weeks
(cherry picked from commit 0ed72537857bfb6ac6d19b0852a52288db79b8b0)
---
sys/netinet6/ip6_input.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 30ad9a53006a..2423b61e0b36 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -579,12 +579,11 @@ ip6_input(struct mbuf *m)
IP6STAT_INC(ip6s_mext1);
} else {
if (m->m_next) {
- if (m->m_flags & M_LOOP) {
- IP6STAT_INC(ip6s_m2m[V_loif->if_index]);
- } else if (rcvif->if_index < IP6S_M2MMAX)
- IP6STAT_INC(ip6s_m2m[rcvif->if_index]);
- else
- IP6STAT_INC(ip6s_m2m[0]);
+ struct ifnet *ifp = (m->m_flags & M_LOOP) ? V_loif : rcvif;
+ int ifindex = ifp->if_index;
+ if (ifindex >= IP6S_M2MMAX)
+ ifindex = 0;
+ IP6STAT_INC(ip6s_m2m[ifindex]);
} else
IP6STAT_INC(ip6s_m1);
}