udp: Fix a use-after-free in udp_multi_input()
ClosedPublic
Actions

Authored by markj on Dec 15 2021, 5:19 PM.

Details

Reviewers

glebius
tuexen

Group Reviewers

transport

Commits

rG014f98b11992: udp: Fix a use-after-free in udp_multi_input()

Summary

"ip" is a pointer into the mbuf chain, so we shouldn't access it after
the chain is freed.

Fix style at the call site.

Reported by: syzbot+7c8258509722af1b6145@syzkaller.appspotmail.com
Fixes: de2d47842e88 ("SMR protection for inpcbs")

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 43380
Build 40268: arc lint + arc unit

Event Timeline

markj created this revision.Dec 15 2021, 5:19 PM

Herald added a reviewer: transport. · View Herald TranscriptDec 15 2021, 5:19 PM

Herald added subscribers: melifaro, imp. · View Herald Transcript

markj requested review of this revision.Dec 15 2021, 5:19 PM

Harbormaster completed remote builds in B43380: Diff 100083.Dec 15 2021, 5:19 PM

afedorov added a subscriber: afedorov.Dec 15 2021, 6:01 PM

tuexen accepted this revision.Dec 15 2021, 6:23 PM

This revision is now accepted and ready to land.Dec 15 2021, 6:23 PM

markj edited the summary of this revision. (Show Details)Dec 15 2021, 7:13 PM

glebius accepted this revision.Dec 16 2021, 2:01 AM

Closed by commit rG014f98b11992: udp: Fix a use-after-free in udp_multi_input() (authored by markj). · Explain WhyDec 16 2021, 2:21 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rG014f98b11992: udp: Fix a use-after-free in udp_multi_input().

Revision Contents
Changeset List

Path

Size

sys/

netinet/

udp_usrreq.c

4 lines

Diff 100083

View Options

udp: Fix a use-after-free in udp_multi_input()ClosedPublicActions