svn commit: r363682 - head/sys/kern

Thu Jul 30 00:52:37 UTC 2020

Author: markj
Date: Thu Jul 30 00:52:37 2020
New Revision: 363682
URL: https://svnweb.freebsd.org/changeset/base/363682

Log:
  Fix a logic error in uipc_ready_scan().
  
  When processing the last record in a socket buffer, take care to avoid a
  NULL pointer dereference when advancing the record iterator.
  
  Reported by:	syzbot+6a689cc9c27bd265237a at syzkaller.appspotmail.com
  Fixes:		r359778
  MFC after:	1 week
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================

--- head/sys/kern/uipc_usrreq.c	Wed Jul 29 23:59:35 2020	(r363681)
+++ head/sys/kern/uipc_usrreq.c	Thu Jul 30 00:52:37 2020	(r363682)
@@ -1279,7 +1279,8 @@ uipc_ready_scan(struct socket *so, struct mbuf *m, int
 			mb = mb->m_next;
 			if (mb == NULL) {
 				mb = n;
-				n = mb->m_nextpkt;
+				if (mb != NULL)
+					n = mb->m_nextpkt;
 			}
 		}
 	}
