Page MenuHomeFreeBSD
Differential D10941

Static analysis: Fix potential NULL dereference in ICMP6 code
ClosedPublic
Actions

Authored by jtl on May 26 2017, 4:54 PM.
Tags
None
Referenced Files
F132530267: D10941.id28872.diff
Fri, Oct 17, 5:33 PM
F132530263: D10941.id.diff
Fri, Oct 17, 5:33 PM
F132530262: D10941.id29014.diff
Fri, Oct 17, 5:33 PM
F132490858: D10941.diff
Fri, Oct 17, 8:53 AM
Unknown Object (File)
Mon, Sep 29, 3:58 AM
Unknown Object (File)
Aug 8 2025, 4:05 AM
Unknown Object (File)
Aug 3 2025, 6:19 PM
Unknown Object (File)
Jun 2 2025, 9:27 AM
View All 73 Files
Subscribers
ae
imp

Details

Reviewers
ae
Group Reviewers
network
Commits
rS319215: Fix two places in the ICMP6 code where we could dereference a NULL pointer
Summary

I ran clang's static analyzer over the kernel sources. It identified (apparently, correctly) two places in the ICMP6 code where we could dereference a NULL pointer in the icmp6_input() function.

When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will set nicmp6 and n to NULL. Therefore, we should condition our modification to nicmp6 on n being not NULL.

And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if m_dup_pkthdr() fails, the code will set n to NULL. However, the very next line dereferences n. Therefore, when m_dup_pkthdr() fails, we should discontinue further processing and follow the same path as when m_gethdr() fails.

Sponsored by: Netflix
MFC after: 2 weeks

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
head/
sys/
netinet6/
5 lines

Diff 29014

View Options

head/sys/netinet6/icmp6.c

Loading...