diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2020-07-08 20:11:40 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2020-07-08 20:11:40 +0000 |
commit | e737287d4e7ed7145749c8fd8235ec930e3665f6 (patch) | |
tree | 85109944212e56f467c236127ebeb3cf6b67cc69 | |
parent | 0cae766bdc191ebd2a7c48ee6668ed2ad28e0eb9 (diff) | |
download | src-test2-e737287d4e7ed7145749c8fd8235ec930e3665f6.tar.gz src-test2-e737287d4e7ed7145749c8fd8235ec930e3665f6.zip |
Fix IPv6 socket option race condition and use after free.
Approved by: so
Security: FreeBSD-SA-20:20.ipv6
Security: CVE-2020-7457
Notes
Notes:
svn path=/releng/12.1/; revision=363026
-rw-r--r-- | sys/netinet6/ip6_output.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 9db8fc74575a..2b81b58f5f35 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1544,8 +1544,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt) error = soopt_mcopyin(sopt, m); /* XXX */ if (error != 0) break; + INP_WLOCK(in6p); error = ip6_pcbopts(&in6p->in6p_outputopts, m, so, sopt); + INP_WUNLOCK(in6p); m_freem(m); /* XXX */ break; } @@ -2305,8 +2307,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *m, printf("ip6_pcbopts: all specified options are cleared.\n"); #endif ip6_clearpktopts(opt, -1); - } else - opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK); + } else { + opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT); + if (opt == NULL) + return (ENOMEM); + } *pktopt = NULL; if (!m || m->m_len == 0) { |