icmp6: fix use-after-reference-release
ClosedPublic
Actions

Authored by kp on May 22 2025, 12:39 PM.

Details

Reviewers

None

Group Reviewers

network
pfsense

Commits

rG23d8e956fbe2: icmp6: fix use-after-reference-release

Summary

We release the reference to the in6_ifaddr but retain a pointer to it.
Copy the address itself, rather than keeping the pointer to fix this.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

kp requested review of this revision.May 22 2025, 12:39 PM

I think this change is not necessary, but the comment should be revised instead. Is there any issue caused by referencing a released ifa ?

sys/netinet6/icmp6.c
2465	Well, `icmp6_redirect_output()` is within net epoch section, the following `ifa_free()` will defer the deallocating, so it is still safe to reference the released ifa. Then this comment is not accurate.

kp added inline comments.May 22 2025, 3:30 PM

sys/netinet6/icmp6.c
2465	That's a good catch. You're correct that this isn't actually going to cause problems, but I'm still inclined to make the change anyway, because it's highly counterintuitive (and might break if we ever change how ifa_free() works). Copying the address is clearly safe, and shouldn't cause anyone else to go chasing phantoms. It's a small amount of extra work, but this is essentially an error path (and is rate limited on line 2434).