ipfilter: Add NULL check for fin_dp in TCP, UDP, GRE, and AH packet h…#2229
Closed
devnexen wants to merge 1 commit into
Closed
ipfilter: Add NULL check for fin_dp in TCP, UDP, GRE, and AH packet h…#2229devnexen wants to merge 1 commit into
devnexen wants to merge 1 commit into
Conversation
|
Thank you for taking the time to contribute to FreeBSD! Some of files have special handling: Important @cschuber wants to review changes to sys/netpfil/ipfilter |
…andlers Mirror commit 68ed816, which added the same check in ipf_pr_icmp() and ipf_pr_icmp6(). ipf_pr_pullup() can return success while leaving fin->fin_dp NULL (e.g. when fin_m is NULL on a synthesized fr_info_t, as constructed by ipf_checkicmp6matchingstate()), so callers that immediately dereference fin_dp must check for NULL too. The same pattern was missed in ipf_pr_tcpcommon(), ipf_pr_udpcommon(), ipf_pr_gre(), ipf_pr_gre6(), and ipf_pr_ah(), each of which would panic on a NULL dereference under the same conditions. Signed-off-by: David Carlier <devnexen@gmail.com>
Member
|
Thanks for the patch. (On phone app.) I'll review this when I get back on Monday. |
Member
|
I don't see how fin_dp could ever be NULL. It is always *ip + hlen. fin_dp always points to the data header following the IP header. Do you have a panic dump I can look at? |
Contributor
Author
|
You're right ; ipf_makefrip() sets fin_dp = ip + hlen unconditionally, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…andlers
Mirror commit 68ed816, which added the same check in ipf_pr_icmp() and ipf_pr_icmp6(). ipf_pr_pullup() can return success while leaving fin->fin_dp NULL (e.g. when fin_m is NULL on a synthesized fr_info_t, as constructed by ipf_checkicmp6matchingstate()), so callers that immediately dereference fin_dp must check for NULL too.
The same pattern was missed in ipf_pr_tcpcommon(), ipf_pr_udpcommon(), ipf_pr_gre(), ipf_pr_gre6(), and ipf_pr_ah(), each of which would panic on a NULL dereference under the same conditions.