D51500.id159321.diff
View Options

	diff --git a/sys/netinet6/scope6.c b/sys/netinet6/scope6.c
	--- a/sys/netinet6/scope6.c
	+++ b/sys/netinet6/scope6.c
	@@ -505,8 +505,23 @@
	struct ifnet*
	in6_getlinkifnet(uint32_t zoneid)
	{
	+ struct ifnet *ifp;

	- return (ifnet_byindex((u_short)zoneid));
	+ ifp = ifnet_byindex((u_short)zoneid);
	+
	+ if (ifp == NULL)
	+ return (NULL);
	+
	+ /* An interface might not be IPv6 capable. */
	+ if (ifp->if_afdata[AF_INET6] == NULL) {
	+ log(LOG_NOTICE,
	+ "%s: embedded scope points to an interface without "
	+ "IPv6: %s%%%d.\n", __func__,
	+ if_name(ifp), zoneid);
	+ return (NULL);
	+ }
	+
	+ return (ifp);
	}

	/*
	diff --git a/tests/sys/netpfil/pf/nat64.py b/tests/sys/netpfil/pf/nat64.py
	--- a/tests/sys/netpfil/pf/nat64.py
	+++ b/tests/sys/netpfil/pf/nat64.py
	@@ -33,7 +33,7 @@
	from atf_python.sys.net.vnet import VnetTestTemplate

	class TestNAT64(VnetTestTemplate):
	- REQUIRED_MODULES = [ "pf" ]
	+ REQUIRED_MODULES = [ "pf", "pflog" ]
	TOPOLOGY = {
	"vnet1": {"ifaces": ["if1"]},
	"vnet2": {"ifaces": ["if1", "if2"]},
	@@ -92,12 +92,15 @@
	def vnet2_handler(self, vnet):
	ifname = vnet.iface_alias_map["if1"].name

	+ ToolsHelper.print_output("/sbin/sysctl net.inet6.ip6.forwarding=1")
	ToolsHelper.print_output("/sbin/route add default 192.0.2.2")
	ToolsHelper.print_output("/sbin/pfctl -e")
	ToolsHelper.pf_rules([
	"pass inet6 proto icmp6",
	"pass in on %s inet6 af-to inet from 192.0.2.1" % ifname])

	+ vnet.pipe.send(socket.if_nametoindex("pflog0"))
	+
	@pytest.mark.require_user("root")
	@pytest.mark.require_progs(["scapy"])
	def test_tcp_rst(self):
	@@ -287,3 +290,39 @@
	reply = sp.sr1(packet, timeout=3)
	# We don't expect a reply to a corrupted packet
	assert not reply
	+
	+ @pytest.mark.require_user("root")
	+ @pytest.mark.require_progs(["scapy"])
	+ def test_noip6(self):
	+ """
	+ PR 288263: link-local target address in icmp6 ADVERT can cause NULL deref
	+ """
	+ ifname = self.vnet.iface_alias_map["if1"].name
	+ gw_mac = self.vnet.iface_alias_map["if1"].epairb.ether
	+ scopeid = self.wait_object(self.vnet_map["vnet2"].pipe)
	+ ToolsHelper.print_output("/sbin/route -6 add default 2001:db8::1")
	+
	+ import scapy.all as sp
	+
	+ pkt = sp.Ether(dst=gw_mac) \
	+ / sp.IPv6(dst="64:ff9b::203.0.113.2") \
	+ / sp.ICMPv6ND_NA(tgt="FFA2:%x:2821:125F:1D27:B3B2:3F6F:C43C" % scopeid)
	+ pkt.show()
	+ sp.hexdump(pkt)
	+ s = DelayedSend(pkt, sendif=ifname)
	+
	+ packets = sp.sniff(iface=ifname, timeout=5)
	+ for r in packets:
	+ r.show()
	+
	+ # Try scope id that likely doesn't have an interface at all
	+ pkt = sp.Ether(dst=gw_mac) \
	+ / sp.IPv6(dst="64:ff9b::203.0.113.2") \
	+ / sp.ICMPv6ND_NA(tgt="FFA2:%x:2821:125F:1D27:B3B2:3F6F:C43C" % 255)
	+ pkt.show()
	+ sp.hexdump(pkt)
	+ s = DelayedSend(pkt, sendif=ifname)
	+
	+ packets = sp.sniff(iface=ifname, timeout=5)
	+ for r in packets:
	+ r.show()

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 13, 7:25 AM (3 h, 56 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31399884
Default Alt Text: D51500.id159321.diff (3 KB)

D51500.id159321.diff
No OneTemporary
Actions

D51500.id159321.diff
View Options

File Metadata

Event Timeline

D51500.id159321.diffNo OneTemporaryActions

D51500.id159321.diffView Options

File Metadata

Event Timeline

D51500.id159321.diff
No OneTemporary
Actions

D51500.id159321.diff
View Options