[src/netbsd-8]: src/sys/netinet6 Pull up following revision(s) (requested by ...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/2c7fd0bd3938
branches:  netbsd-8
changeset: 434790:2c7fd0bd3938
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Mar 30 11:42:59 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #666):

        sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.

diffstat:

 sys/netinet6/raw_ip6.c |  7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diffs (35 lines):

diff -r 7469649ec19c -r 2c7fd0bd3938 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Fri Mar 30 11:23:20 2018 +0000
+++ b/sys/netinet6/raw_ip6.c    Fri Mar 30 11:42:59 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $ */
+/*     $NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $ */
 /*     $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $        */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.2 2018/01/30 18:21:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.3 2018/03/30 11:42:59 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -481,6 +481,7 @@
 
        if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
            in6p->in6p_cksum != -1) {
+               const uint8_t nxt = ip6->ip6_nxt;
                int off;
                u_int16_t sum;
 
@@ -502,7 +503,7 @@
                        error = ENOBUFS;
                        goto bad;
                }
-               sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+               sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
                m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum,
                    M_DONTWAIT);
                if (m == NULL) {