From nobody Tue May 27 12:02:26 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b6B8L6Fqzz5xMBb; Tue, 27 May 2025 12:02:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b6B8L5KSbz3HQy; Tue, 27 May 2025 12:02:26 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748347346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=21y6AQFaqi/eAoOCD+T59sG4g/D7nQRkmBqPORu/CQY=; b=WiOfqFh1vEgdVxnNw6F4FT00pY1mrtIoio1JTW/UA18BMhPwG1GQ65hS0U9jO6d5GWVkZR 7AmvuCsfbDh+3QoysQtVdoZ9hELptKNcBk5ViZLKTOhxx6qEYA9T+qf5fPm1R5DxHF4QmX eCEhvSUQSYovPUamIiyxguIp1chvWgNaxz8jA/EACg+DAat0ujPkVVxodg/PWu5GRAUqiv saWjIyCkZVjvGZ3TVaqDhRIHV3eknClWYfURgFkz/eHbQdvVvTU5v/4O/IWNXOuwv58bXF bQXgEtpEzI582k4FMHJihQ+m/BXn8cYVysPvtYr0eWxXdmtohNBh/2cVkSZixw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1748347346; a=rsa-sha256; cv=none; b=Yy2PeRP1fP6vk4xmabq6ThigXYNqR9+BSpsqyK/Gn/6uBC/R/0fr6Y427dLPPMF8CrbcQF BtfmE8CSjNbSPeKSOmM92cm4W324O0mve/ZFTMgwWiAdriML0KFCkHXfuoDIi3y6Llzq0z bjWb+X3M5TZv9PkNXvz2z9nK6pdjYuZjUwh/6h1gCa0cN1LV0ZEuf3qAKAFb4rfcVJ4KN4 HcJREmfWSw0BMkl/e2BRJpQX2JZHbimdidtqWE8qwCusTBFEepiwNtKypAtQex7aZbORyE 0gxaN4+nQgJuCiLnr/lFNUotlMPR+Yuj4Fh9ywAWDz9Y5ZqI0Wqymy9yaPS6ZQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1748347346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=21y6AQFaqi/eAoOCD+T59sG4g/D7nQRkmBqPORu/CQY=; b=QrdCw0bEcnM4m07082I1qehSjBiO0K6RUizqbIDZRr39By0lTDojtuUQI2Y8XMijA8u5dB ly9eV7sX/o0dDc/fyPQHuD4QEHLVO3cVcj5wwM7bfEvVWydVCiQOVqbeRfHWVYOu5+drMi gB2VEmSyNjskoXOB4z+Votkd8EEq6VEE9vdakHT0e3jDhEVY+T/KN6G5g78op0CkMbr5W8 BBsbn1GuJr7AeaWRAKfU/2qGL3BRux9kQNAiTgSOy7c58E+f/Cpn7za/2vSjUKYJPG3qEb OzXG49iz3tlAR8i5+L2CXim1cQCaLIne+JmBzjSpqAG44yh2C8YXSxVGDgTkJQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b6B8L4kCYzrlG; Tue, 27 May 2025 12:02:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54RC2QLX046078; Tue, 27 May 2025 12:02:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54RC2Quw046075; Tue, 27 May 2025 12:02:26 GMT (envelope-from git) Date: Tue, 27 May 2025 12:02:26 GMT Message-Id: <202505271202.54RC2Quw046075@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 23d8e956fbe2 - main - icmp6: fix use-after-reference-release List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 23d8e956fbe29418d74b78d98a453fcec1ad16da Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=23d8e956fbe29418d74b78d98a453fcec1ad16da commit 23d8e956fbe29418d74b78d98a453fcec1ad16da Author: Kristof Provost AuthorDate: 2025-05-22 08:25:55 +0000 Commit: Kristof Provost CommitDate: 2025-05-27 09:47:43 +0000 icmp6: fix use-after-reference-release We release the reference to the in6_ifaddr but retain a pointer to it. Copy the address itself, rather than keeping the pointer to fix this. The previous version was actually safe, because ifa_free() uses an epoch callback to free it, so the pointer would have remained valid as long as we are in net_epoch. Change it to copying the address anyway because it is more obviously correct and will remain correct even if ifa_free() changes later. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D50460 --- sys/netinet6/icmp6.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index eaf8514fd5cf..9ea640fd24c8 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -2391,7 +2391,7 @@ void icmp6_redirect_output(struct mbuf *m0, struct nhop_object *nh) { struct ifnet *ifp; /* my outgoing interface */ - struct in6_addr *ifp_ll6; + struct in6_addr ifp_ll6; struct in6_addr *router_ll6; struct ip6_hdr *sip6; /* m0 as struct ip6_hdr */ struct mbuf *m = NULL; /* newly allocated one */ @@ -2461,8 +2461,7 @@ icmp6_redirect_output(struct mbuf *m0, struct nhop_object *nh) IN6_IFF_NOTREADY| IN6_IFF_ANYCAST)) == NULL) goto fail; - ifp_ll6 = &ia->ia_addr.sin6_addr; - /* XXXRW: reference released prematurely. */ + bcopy(&ia->ia_addr.sin6_addr, &ifp_ll6, sizeof(ifp_ll6)); ifa_free(&ia->ia_ifa); } @@ -2485,7 +2484,7 @@ icmp6_redirect_output(struct mbuf *m0, struct nhop_object *nh) ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 255; /* ip6->ip6_src must be linklocal addr for my outgoing if. */ - bcopy(ifp_ll6, &ip6->ip6_src, sizeof(struct in6_addr)); + bcopy(&ifp_ll6, &ip6->ip6_src, sizeof(struct in6_addr)); bcopy(&sip6->ip6_src, &ip6->ip6_dst, sizeof(struct in6_addr)); /* ND Redirect */