From nobody@FreeBSD.org  Mon Apr 17 18:43:05 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D67A216A400
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Apr 2006 18:43:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4B69A43D73
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Apr 2006 18:43:04 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k3HIh4sb017543
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Apr 2006 18:43:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k3HIh4Qq017542;
	Mon, 17 Apr 2006 18:43:04 GMT
	(envelope-from nobody)
Message-Id: <200604171843.k3HIh4Qq017542@www.freebsd.org>
Date: Mon, 17 Apr 2006 18:43:04 GMT
From: James Juran <James.Juran@baesystems.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: missing check for failed memory alloc in icmp6_input()
X-Send-Pr-Version: www-2.3

>Number:         95957
>Category:       kern
>Synopsis:       [netinet6] [patch] missing check for failed memory alloc in icmp6_input()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 17 18:50:11 GMT 2006
>Closed-Date:    Wed Feb 14 13:35:31 GMT 2007
>Last-Modified:  Wed Feb 14 13:40:04 GMT 2007
>Originator:     James Juran
>Release:        7.0-CURRENT
>Organization:
BAE Systems Inc.
>Environment:
N/A
>Description:
It appears that the processing of the ICMP6_WRUREQUEST message in icmp6_input
is missing a check for a failed memory allocation from MGETHDR(M_DONTWAIT).
The mbuf allocated by MGETHDR() is passed to m_dup_pkthdr() without first
verifying that it is non-NULL, and m_dup_pkthdr() references through its
first argument, also without verifying that it is non-NULL.  So if this
allocation fails we will get a kernel panic in m_dup_pkthdr().


>How-To-Repeat:
code inspection
>Fix:
Change

			if (!m_dup_pkthdr(n, m, M_DONTWAIT)) {

to

			if (n && !m_dup_pkthdr(n, m, M_DONTWAIT)) {

at line 686 of icmp6.c.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gnn@freebsd.org 
Responsible-Changed-By: gnn 
Responsible-Changed-When: Sun Jun 11 09:01:59 UTC 2006 
Responsible-Changed-Why:  
Took PR for inspection and resolution. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95957 
Responsible-Changed-From-To: gnn@freebsd.org->gnn 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jun 11 12:44:21 UTC 2006 
Responsible-Changed-Why:  
Canonicalize assignment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95957 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/95957: commit references a PR
Date: Sat, 10 Feb 2007 12:25:26 +0000 (UTC)

 bms         2007-02-10 12:25:19 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet6         icmp6.c 
   Log:
   In the ICMP6 path to handle FQDN 'who-are-you' queries, check that the
   packet header mbuf is non-NULL before trying to create a duplicate of it.
   
   PR:             95957
   Reviewed by:    ume
   MFC after:      3 days
   
   Revision  Changes    Path
   1.75      +1 -1      src/sys/netinet6/icmp6.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Sat Feb 10 12:30:52 UTC 2007 
State-Changed-Why:  
I just patched this in -CURRENT. 


Responsible-Changed-From-To: gnn->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Sat Feb 10 12:30:52 UTC 2007 
Responsible-Changed-Why:  
I'll take care of this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95957 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Wed Feb 14 13:35:17 UTC 2007 
State-Changed-Why:  
MFC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=95957 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/95957: commit references a PR
Date: Wed, 14 Feb 2007 13:35:21 +0000 (UTC)

 bms         2007-02-14 13:35:11 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     sys/netinet6         icmp6.c 
   Log:
   MFC rev 1.75:
     In the ICMP6 path to handle FQDN 'who-are-you' queries, check that the
     packet header mbuf is non-NULL before trying to create a duplicate of it.
   
   PR:             95957
   Reviewed by:    ume
   
   Revision  Changes    Path
   1.62.2.8  +1 -1      src/sys/netinet6/icmp6.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
