git: 8fa89d8b1904 - stable/12 - Fix NULL deref in ip_output during route change

The branch stable/12 has been updated by vangyzen:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fa89d8b190472778ed07db9d8937cb1ce7b44fc

commit 8fa89d8b190472778ed07db9d8937cb1ce7b44fc
Author:     Eric van Gyzen <vangyzen@FreeBSD.org>
AuthorDate: 2023-05-23 09:46:42 +0000
Commit:     Eric van Gyzen <vangyzen@FreeBSD.org>
CommitDate: 2023-05-30 12:10:03 +0000

    Fix NULL deref in ip_output during route change
    
    When changing the interface address during a route change,
    the rtentry's rt_ifa will be NULL briefly.  Some parts of
    ip_output do not handle that NULL.  In such case, re-validate
    the rtentry.  That validation does not check the rt_ifa, but
    it does lock the route, which will synchronize with
    rtrequest1_fib_change.
    
    I would prefer to leave the rt_ifa pointer intact during
    the route change, but ip6_output is not fully protected
    by the net_epoch, so that could allow a use-after-free.
    ip6_output already handles a NULL rt_ifa.
    
    This is a direct commit to stable/12 because later branches
    have nexthop and do not appear to have this bug.
    
    PR:             271573
    Reported by:    Gaurav.Gandhi@dell.com
    Sponsored by:   Dell EMC Isilon
    Differential Revision:  https://reviews.freebsd.org/D40236
---
 sys/netinet/ip_output.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 399afa184999..93b41376f3c2 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -393,6 +393,10 @@ again:
 			goto bad;
 		}
 		ia = ifatoia(rte->rt_ifa);
+		if (ia == NULL) {
+			/* race with rtrequest1_fib_change */
+			goto again;
+		}
 		ifp = rte->rt_ifp;
 		counter_u64_add(rte->rt_pksent, 1);
 		rt_update_ro_flags(ro);