Page MenuHomeFreeBSD
Differential D40236

Fix NULL deref in ip_output during route change
ClosedPublic
Actions

Authored by vangyzen on May 23 2023, 3:27 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 21, 12:18 AM
Unknown Object (File)
Thu, Dec 18, 8:29 PM
Unknown Object (File)
Nov 17 2025, 11:47 AM
Unknown Object (File)
Nov 12 2025, 2:27 PM
Unknown Object (File)
Nov 7 2025, 10:48 AM
Unknown Object (File)
Oct 25 2025, 1:15 AM
Unknown Object (File)
Oct 23 2025, 4:59 PM
Unknown Object (File)
Oct 22 2025, 9:54 PM
View All Files
Subscribers
badger
dab
emaste
imp
yuripv

Details

Reviewers
mmacy
glebius
dab
melifaro
Commits
rG8fa89d8b1904: Fix NULL deref in ip_output during route change
Summary

When changing the interface address during a route change,
the rtentry's rt_ifa will be NULL briefly. Some parts of
ip_output do not handle that NULL. In such case, re-validate
the rtentry. That validation does not check the rt_ifa, but
it does lock the route, which will synchronize with
rtrequest1_fib_change.

I would prefer to leave the rt_ifa pointer intact during
the route change, but ip6_output is not fully protected
by the net_epoch, so that could allow a use-after-free.
ip6_output already handles a NULL rt_ifa.

This is a direct commit to stable/12 because later branches
have nexthop and do not appear to have this bug.

PR: 271573
Reported by: Gaurav.Gandhi@dell.com
Sponsored by: Dell EMC Isilon

Test Plan

See the PR.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 51640
Build 48531: arc lint + arc unit

Event Timeline

vangyzen created this revision.May 23 2023, 3:27 PM
Herald added subscribers: dab, badger, imp. · View Herald TranscriptMay 23 2023, 3:27 PM
vangyzen requested review of this revision.May 23 2023, 3:27 PM
Harbormaster completed remote builds in B51640: Diff 122312.May 23 2023, 3:27 PM
vangyzen edited the summary of this revision. (Show Details)May 23 2023, 4:09 PM
vangyzen edited the test plan for this revision. (Show Details)
melifaro resigned from this revision.May 26 2023, 3:04 PM

I'm afraid I won't be able to review this in the foreseeable future. I think I completely forgot pre-nexthop routing logic.

dab accepted this revision.May 30 2023, 3:04 PM
This revision is now accepted and ready to land.May 30 2023, 3:04 PM
emaste added a comment.May 30 2023, 3:16 PM

Looks like a sensible approach for 12.x

Closed by commit rG8fa89d8b1904: Fix NULL deref in ip_output during route change (authored by vangyzen). · Explain WhyMay 30 2023, 5:13 PM
This revision was automatically updated to reflect the committed changes.
vangyzen added a commit: rG8fa89d8b1904: Fix NULL deref in ip_output during route change.
yuripv added a subscriber: yuripv.May 30 2023, 7:08 PM
yuripv added inline comments.
sys/netinet/ip_output.c
398

Sorry for chiming in late. The only "goto again" below does some cleanup, is it not needed here?

Revision Contents
Changeset List

PathSize
sys/
netinet/
4 lines

Diff 122312

View Options

sys/netinet/ip_output.c

Loading...