[src/netbsd-7-0]: src/sys/netinet6 Pull up following revision(s) (requested b...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e2d94386a796
branches:  netbsd-7-0
changeset: 801471:e2d94386a796
user:      martin <martin%NetBSD.org@localhost>
date:      Sun Apr 01 09:14:45 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #1591):

        sys/netinet6/raw_ip6.c: revision 1.161

Fix use-after-free, the first m_copyback_cow may have freed the mbuf, so
it is wrong to read ip6->ip6_nxt.

diffstat:

 sys/netinet6/raw_ip6.c |  7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diffs (35 lines):

diff -r 1d6068f2e636 -r e2d94386a796 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Sun Apr 01 09:09:58 2018 +0000
+++ b/sys/netinet6/raw_ip6.c    Sun Apr 01 09:14:45 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $ */
+/*     $NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $ */
 /*     $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $        */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.1 2018/01/30 18:31:53 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.136.6.2 2018/04/01 09:14:45 martin Exp $");
 
 #include "opt_ipsec.h"
 
@@ -476,6 +476,7 @@
 
        if (so->so_proto->pr_protocol == IPPROTO_ICMPV6 ||
            in6p->in6p_cksum != -1) {
+               const uint8_t nxt = ip6->ip6_nxt;
                int off;
                u_int16_t sum;
 
@@ -497,7 +498,7 @@
                        error = ENOBUFS;
                        goto bad;
                }
-               sum = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
+               sum = in6_cksum(m, nxt, sizeof(*ip6), plen);
                m = m_copyback_cow(m, off, sizeof(sum), (void *)&sum,
                    M_DONTWAIT);
                if (m == NULL) {