tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

ipfilter pass NULL mbuf to ether_output()

In the update to IPFilter 4.1.29, sys/dist/ipf/netinet/ip_fil_netbsd.c
got this change in ipfr_fastroute6():
@@ -1498,9 +1544,9 @@
                if ((error == 0) && (m0->m_pkthdr.len <= mtu)) {
                        *mpp = NULL;
 # if __NetBSD_Version__ >= 499001100
-                       error = nd6_output(ifp, ifp, m0, satocsin6(dst), rt);
+                       error = nd6_output(ifp, ifp, *mpp, satocsin6(dst), rt);
 # else
-                       error = nd6_output(ifp, ifp, m0, dst6, rt);
+                       error = nd6_output(ifp, ifp, *mpp, dst6, rt);
 # endif

The effect of this change is to call nd6_output() with a NULL mbuf pointer,
and nd6_output() will call ether_output with this NULL pointer, and will
do a NULL pointer dereference. This happens when using 'return-rst' or
'return-icmp' in ipf6.conf. Reverting this changes avoids the panic and
makes ipfilter behaves as intended.

What was the purpose of this change ? Is it OK to revert it ?

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index