Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netinet6 avoid panic when a packet with nonexistent link...

details:   https://anonhg.NetBSD.org/src/rev/349b585b7b68
branches:  trunk
changeset: 503193:349b585b7b68
user:      itojun <itojun%NetBSD.org@localhost>
date:      Fri Feb 02 15:54:56 2001 +0000

description:
avoid panic when a packet with nonexistent link-local address is issued.
kame 1.151 -> 1.152.

diffstat:

 sys/netinet6/ip6_output.c |  19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

diffs (37 lines):

diff -r dec44cf48a8f -r 349b585b7b68 sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Fri Feb 02 14:20:33 2001 +0000
+++ b/sys/netinet6/ip6_output.c Fri Feb 02 15:54:56 2001 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: ip6_output.c,v 1.28 2001/01/24 09:04:17 itojun Exp $   */
-/*     $KAME: ip6_output.c,v 1.122 2000/08/19 02:12:02 jinmei Exp $    */
+/*     $NetBSD: ip6_output.c,v 1.29 2001/02/02 15:54:56 itojun Exp $   */
+/*     $KAME: ip6_output.c,v 1.152 2001/02/02 15:36:33 jinmei Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -768,11 +768,24 @@
                 * Larger scopes than link will be supported in the near
                 * future.
                 */
+               origifp = NULL;
                if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
                        origifp = ifindex2ifnet[ntohs(ip6->ip6_src.s6_addr16[1])];
                else if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
                        origifp = ifindex2ifnet[ntohs(ip6->ip6_dst.s6_addr16[1])];
-               else
+               /*
+                * XXX: origifp can be NULL even in those two cases above.
+                * For example, if we remove the (only) link-local address
+                * from the loopback interface, and try to send a link-local
+                * address without link-id information.  Then the source
+                * address is ::1, and the destination address is the
+                * link-local address with its s6_addr16[1] being zero.
+                * What is worse, if the packet goes to the loopback interface
+                * by a default rejected route, the null pointer would be
+                * passed to looutput, and the kernel would hang.
+                * The following last resort would prevent such disaster.
+                */
+               if (origifp == NULL);
                        origifp = ifp;
        }
        else
Home | Main Index | Thread Index | Old Index