aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-07-08 20:11:40 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-07-08 20:11:40 +0000
commit7b1e233dc9bbc5c91dfc8bc09547ed5b83d175a6 (patch)
tree4b0c37184310a9adb8d59c882d0e41211d1b3e54
parent6dfa236dcd29f6d0b1c8f62251bd6214e4f91467 (diff)
downloadsrc-7b1e233dc9bbc5c91dfc8bc09547ed5b83d175a6.tar.gz
src-7b1e233dc9bbc5c91dfc8bc09547ed5b83d175a6.zip
Fix IPv6 socket option race condition and use after free.
Approved by: so Security: FreeBSD-SA-20:20.ipv6 Security: CVE-2020-7457
Notes
Notes: svn path=/releng/11.4/; revision=363026
-rw-r--r--sys/netinet6/ip6_output.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 3fe8cbd28774..dee86641ff93 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1514,8 +1514,10 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
error = soopt_mcopyin(sopt, m); /* XXX */
if (error != 0)
break;
+ INP_WLOCK(in6p);
error = ip6_pcbopts(&in6p->in6p_outputopts,
m, so, sopt);
+ INP_WUNLOCK(in6p);
m_freem(m); /* XXX */
break;
}
@@ -2260,8 +2262,11 @@ ip6_pcbopts(struct ip6_pktopts **pktopt, struct mbuf *m,
printf("ip6_pcbopts: all specified options are cleared.\n");
#endif
ip6_clearpktopts(opt, -1);
- } else
- opt = malloc(sizeof(*opt), M_IP6OPT, M_WAITOK);
+ } else {
+ opt = malloc(sizeof(*opt), M_IP6OPT, M_NOWAIT);
+ if (opt == NULL)
+ return (ENOMEM);
+ }
*pktopt = NULL;
if (!m || m->m_len == 0) {