git: cdc40489a7a6 - main - ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 15:34:54 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=cdc40489a7a617b742e295cf9005b3569b45e823
commit cdc40489a7a617b742e295cf9005b3569b45e823
Author: Teddy Engel <engel.teddy@gmail.com>
AuthorDate: 2026-05-19 21:36:23 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-05-20 15:33:43 +0000
ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()
Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
error handling code path. When ipf_checkicmp6matchingstate() calls
ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
which would crash when trying to access the mbuf via M_LEN().
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
---
sys/netpfil/ipfilter/netinet/fil.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
index 4174fdcc5f58..7b646d0d55db 100644
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -916,6 +916,9 @@ ipf_pr_icmp6(fr_info_t *fin)
if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
break;
+ if (fin->fin_m == NULL)
+ break;
+
if (M_LEN(fin->fin_m) < fin->fin_plen) {
if (ipf_coalesce(fin) != 1)
return;