Page MenuHomeFreeBSD

Fix NULL deref in ip_output during route change

Authored by vangyzen on Tue, May 23, 3:27 PM.
Referenced Files
Unknown Object (File)
Wed, May 31, 5:57 PM
Unknown Object (File)
Tue, May 30, 10:30 PM
Unknown Object (File)
Tue, May 30, 1:52 PM
Unknown Object (File)
Tue, May 30, 5:32 AM
Unknown Object (File)
Mon, May 29, 4:12 PM
Unknown Object (File)
Sun, May 28, 11:00 AM
Unknown Object (File)
Fri, May 26, 11:31 PM
Unknown Object (File)
Wed, May 24, 12:29 AM



When changing the interface address during a route change,
the rtentry's rt_ifa will be NULL briefly. Some parts of
ip_output do not handle that NULL. In such case, re-validate
the rtentry. That validation does not check the rt_ifa, but
it does lock the route, which will synchronize with

I would prefer to leave the rt_ifa pointer intact during
the route change, but ip6_output is not fully protected
by the net_epoch, so that could allow a use-after-free.
ip6_output already handles a NULL rt_ifa.

This is a direct commit to stable/12 because later branches
have nexthop and do not appear to have this bug.

PR: 271573
Reported by:
Sponsored by: Dell EMC Isilon

Test Plan

See the PR.

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

vangyzen edited the test plan for this revision. (Show Details)

I'm afraid I won't be able to review this in the foreseeable future. I think I completely forgot pre-nexthop routing logic.

This revision is now accepted and ready to land.Tue, May 30, 3:04 PM

Looks like a sensible approach for 12.x

yuripv added inline comments.

Sorry for chiming in late. The only "goto again" below does some cleanup, is it not needed here?