[src/trunk]: src/sys/netinet Fix panic on packet sending via a route with rt_...

[knakahara <knakahara%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/7446a9c36496
branches:  trunk
changeset: 372387:7446a9c36496
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Mon Nov 21 09:51:13 2022 +0000

description:
Fix panic on packet sending via a route with rt_ifa of AF_LINK.

A route with rt_ifa of AF_LINK can be set by some routing daemons when
it adds a route that has a gateway of AF_LINK.  If there is no address on
a target interface, the kernel sets an AF_LINK address of the interface to
rt_ifa of the route.  In that case, a variable of a local address in
ip_output (ia) can be NULL and we need more NULL-checks of it.

diffstat:

 sys/netinet/ip_output.c |  22 ++++++++++++++++++++--
 1 files changed, 20 insertions(+), 2 deletions(-)

diffs (50 lines):

diff -r 2f1bac607f4b -r 7446a9c36496 sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c   Sun Nov 20 14:53:14 2022 +0000
+++ b/sys/netinet/ip_output.c   Mon Nov 21 09:51:13 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_output.c,v 1.323 2022/11/04 09:00:58 ozaki-r Exp $  */
+/*     $NetBSD: ip_output.c,v 1.324 2022/11/21 09:51:13 knakahara Exp $        */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.323 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.324 2022/11/21 09:51:13 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -531,6 +531,15 @@
        if (in_nullhost(ip->ip_src)) {
                struct ifaddr *xifa;
 
+               /* If rt_ifa is AF_LINK, ia can be NULL. */
+               if (ia == NULL) {
+                       KASSERTMSG(rt->rt_ifa->ifa_addr->sa_family == AF_LINK,
+                           "sa_family=%d", rt->rt_ifa->ifa_addr->sa_family);
+                       IP_STATINC(IP_STAT_NOROUTE);
+                       error = EHOSTUNREACH;
+                       goto bad;
+               }
+
                xifa = &ia->ia_ifa;
                if (xifa->ifa_getifa != NULL) {
                        ia4_release(ia, &psref_ia);
@@ -582,6 +591,15 @@
 
 sendit:
        if ((flags & (IP_FORWARDING|IP_NOIPNEWID)) == 0) {
+               /* If rt_ifa is AF_LINK, ia can be NULL. */
+               if (ia == NULL) {
+                       KASSERTMSG(rt->rt_ifa->ifa_addr->sa_family == AF_LINK,
+                           "sa_family=%d", rt->rt_ifa->ifa_addr->sa_family);
+                       IP_STATINC(IP_STAT_NOROUTE);
+                       error = EHOSTUNREACH;
+                       goto bad;
+               }
+
                if (m->m_pkthdr.len < IP_MINFRAGSIZE) {
                        ip->ip_id = 0;
                } else if ((m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0) {