From nobody Wed May 20 15:34:55 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwJ0h0Fz6dyQs for ; Wed, 20 May 2026 15:34:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLFwH5CB1z3nyR for ; Wed, 20 May 2026 15:34:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S8LgUdEYOq5yPXpLbSuQSm9SBZqsq3AFuKMM9B9Y47g=; b=KJsZNhi6Wk+xDwiWbrSLDkM6VBfIPEyLQmB69NOjrcL44tBkUVKbGe1UAoGDvpZOgfzeQc jzrnSvP8pLhgaYaDVG1Zn15Iwl/GSbLWW7ESIrrJWRSG9cE27ujJCw5Cc37JWVdp1L9hQm oyChI8ohFD9sa3NxEOxsl/DBguXBBVuKEfZeNecA1Kr2kd185btdjAcgFHfJOysUYrx0Ae 1Fy40Zg404ZUXzaO5QPcdjdKMGt0XjpOqVMLz3KdKwosoxrB51Sh7qFlrsLHDr07duejyl mVSbKzCkWSLaJY8oJgFdzYlLsr7fi1PKotH9XHCipNyhHf6MTcvAMTwva2aM4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779291295; a=rsa-sha256; cv=none; b=OFCvED6J35aK0wzLshsPARdvcZm2n0/pKHe86ycKiD5h/wbdruNMTX/KKQuNJBsFqq69Ln 7Zn5eirxiPkDW5oBig176Ywd2dTDe5UH6WGt2/538QmCwTx2cYqJaZdWHPhuMMkqXltaog x4MLZEk9XkxgnWL6ntyNmanQDNRoLSMnpZYhqYBDTyoBZoKzBfLWcmW+fawNBsL3ZA0SYn 7k9pPSRozCz8EfNCS3Mn9PkStRrQKvkxFPkw1xxeiDfRxNS/sDXpiwFput5PcxkIATUIjY AVWkUHKQIkmbkIXq/rofZyayrYO7SDHlIIOyUzqsGnZJCDwL1D68F91OKFNkYA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779291295; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S8LgUdEYOq5yPXpLbSuQSm9SBZqsq3AFuKMM9B9Y47g=; b=D5jUZXB/4MTL1tv+gNR4lSWWRkSCtAY7qqI4oDCheRocsQNm3PRcOI1PYZnCd+KCjPJ5MD 7gbXlRRcXaGjzqfssi5KFbG6LfUUT9thruT21ilvmqJFuWo8zainQW9A8/vuxyCbLe+l9I a9Iqy16L4MZLhxdbbrUcQeRdP0dAcMw/+zTmRoVwyEijYBtLP9wxBwxyzvWJBVa3/DobPT F1egmImOj1BxjOGCdRop7ucb4NyRV0Sd8o5zVEvDqsRQpUBrCEzvBjnZsIBqYCNAXM4O76 eSVTc/97TQsChLOCZHIRwH7ms1qmk9GqooWVpIbGItp3dqWlCJoOg4+Rzl0EWw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLFwH4pQMz16j8 for ; Wed, 20 May 2026 15:34:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45b13 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 20 May 2026 15:34:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Teddy Engel From: Cy Schubert Subject: git: c028080749c0 - main - ipfilter: Fix NULL dereferences in ipf_checkicmp6matchingstate() List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c028080749c09e68c555155df0e9f681ba63c6ae Auto-Submitted: auto-generated Date: Wed, 20 May 2026 15:34:55 +0000 Message-Id: <6a0dd49f.45b13.511e86bf@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=c028080749c09e68c555155df0e9f681ba63c6ae commit c028080749c09e68c555155df0e9f681ba63c6ae Author: Teddy Engel AuthorDate: 2026-05-19 21:36:33 +0000 Commit: Cy Schubert CommitDate: 2026-05-20 15:33:43 +0000 ipfilter: Fix NULL dereferences in ipf_checkicmp6matchingstate() Add NULL checks for ic6 (the ICMPv6 header pointer from fin->fin_dp) and oic (the inner ICMPv6 header from ofin.fin_dp after ipf_makefrip). These pointers can be NULL when processing malformed ICMPv6 error packets with extension headers. Also fix the length validation: the original check (fin->fin_plen < sizeof(ip6_t)) could never trigger because an earlier check already ensures fin->fin_plen >= ICMP6ERR_MINPKTLEN (48). Replace with a proper check that fin->fin_dlen contains at least ICMPERR_ICMPHLEN + sizeof(ip6_t) bytes to ensure sufficient data exists for both the ICMPv6 error header and the embedded IPv6 header. PR: 288333 MFC after: 1 week Pull Request: https://github.com/freebsd/freebsd-src/pull/2214 Signed-off-by: Teddy Engel --- sys/netpfil/ipfilter/netinet/ip_state.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index c8d6e4e0feb3..d5a04e326321 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -4364,9 +4364,13 @@ ipf_checkicmp6matchingstate(fr_info_t *fin) } ic6 = fin->fin_dp; + if (ic6 == NULL) { + SBUMPD(ipf_state_stats, iss_icmp6_miss); + return (NULL); + } oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN); - if (fin->fin_plen < sizeof(*oip6)) { + if (fin->fin_dlen < ICMPERR_ICMPHLEN + sizeof(*oip6)) { SBUMPD(ipf_state_stats, iss_icmp_short); return (NULL); } @@ -4408,6 +4412,10 @@ ipf_checkicmp6matchingstate(fr_info_t *fin) if (oip6->ip6_nxt == IPPROTO_ICMPV6) { oic = ofin.fin_dp; + if (oic == NULL) { + SBUMPD(ipf_state_stats, iss_icmp6_miss); + return (NULL); + } /* * an ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error