remote use-after-free in icmp6
Alexander V. Chernikov
melifaro at ipfw.ru
Wed Oct 28 20:27:25 UTC 2020
28.10.2020, 20:25, "Alexander V. Chernikov" <melifaro at ipfw.ru>:
> 28.10.2020, 18:34, "Maxime Villard" <max at m00nbsd.net>:
>> In icmp6_notify_error(), 'finaldst' points to data within an mbuf, but when
>> iterating over the next IPv6 options the kernel can free that mbuf, meaning
>> the dereferences of 'finaldst' hit a freed buffer.
[sorry for reposting, plaintext this time]
> Fixed in r367114, thanks for reporting!
>> Note that this is triggerable without specific conditions, over just ICMPv6.
>>
>> Maxime
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list