[src/trunk]: src/sys/netinet6 Under some circumstances, udp6_output() would c...

[dyoung <dyoung%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/fb1eb190121e
branches:  trunk
changeset: 756392:fb1eb190121e
user:      dyoung <dyoung%NetBSD.org@localhost>
date:      Thu Jul 15 23:46:55 2010 +0000

description:
Under some circumstances, udp6_output() would call ip6_clearpktopts()
with an uninitialized struct ip6_pktopts on the stack, opt.
ip6_clearpktopts(&opt, ...) could dereference dangling pointers,
leading to memory corruption or a crash.  Now, udp6_output() calls
ip6_clearpktopts(&opt, ...) only if opt was initialized. Thanks to
Clement LECIGNE for reporting this bug.

Fix a potential memory leak: it is udp6_output()'s responsibility
to free its mbuf arguments on error.  In the unlikely event that
sa6_embedscope() failed, udp6_output() would not free its mbuf
arguments.

I will ask for this to be pulled up to -4, -5, and -5-0.

diffstat:

 sys/netinet6/udp6_output.c |  12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

diffs (47 lines):

diff -r 3d4c5b0978dd -r fb1eb190121e sys/netinet6/udp6_output.c
--- a/sys/netinet6/udp6_output.c        Thu Jul 15 23:20:34 2010 +0000
+++ b/sys/netinet6/udp6_output.c        Thu Jul 15 23:46:55 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: udp6_output.c,v 1.40 2010/07/08 00:12:35 dyoung Exp $  */
+/*     $NetBSD: udp6_output.c,v 1.41 2010/07/15 23:46:55 dyoung Exp $  */
 /*     $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $    */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.40 2010/07/08 00:12:35 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.41 2010/07/15 23:46:55 dyoung Exp $");
 
 #include "opt_inet.h"
 
@@ -128,7 +128,8 @@
        int scope_ambiguous = 0;
        u_int16_t fport;
        int error = 0;
-       struct ip6_pktopts *optp, opt;
+       struct ip6_pktopts *optp = NULL;
+       struct ip6_pktopts opt;
        int af = AF_INET6, hlen = sizeof(struct ip6_hdr);
 #ifdef INET
        struct ip *ip;
@@ -163,7 +164,7 @@
                if (sin6->sin6_scope_id == 0 && !ip6_use_defzone)
                        scope_ambiguous = 1;
                if ((error = sa6_embedscope(sin6, ip6_use_defzone)) != 0)
-                       return (error);
+                       goto release;
        }
 
        if (control) {
@@ -417,7 +418,8 @@
 
 releaseopt:
        if (control) {
-               ip6_clearpktopts(&opt, -1);
+               if (optp == &opt)
+                       ip6_clearpktopts(&opt, -1);
                m_freem(control);
        }
        return (error);