remote use-after-free in icmp6

Maxime Villard max at
Wed Oct 28 18:34:41 UTC 2020

In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when
iterating over the next IPv6 options the kernel can free that mbuf, meaning
the dereferences of 'finaldst' hit a freed buffer.

Note that this is triggerable without specific conditions, over just ICMPv6.


More information about the freebsd-net mailing list