Fri Apr 19 00:55:35 2024 UTC (21d)
ip6_output: Initialize plen for ip6_hopopts_input.

This funny little block in ip6_process_hopopts assumes it is
initialized as and behaves differently depending on whether it's zero
or not:

https://nxr.netbsd.org/xref/src/sys/netinet6/ip6_input.c?r=1.227#976

In the other call site, it is initialized to ip6->ip6_plen:

https://nxr.netbsd.org/xref/src/sys/netinet6/ip6_input.c?r=1.227#561

Reported-by: syzbot+587e3b707bdfe533283f@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?extid=587e3b707bdfe533283f


(riastradh)
diff -r1.234 -r1.235 src/sys/netinet6/ip6_output.c
cvs diff -r1.234 -r1.235 src/sys/netinet6/ip6_output.c (expand / switch to unified diff)

--- src/sys/netinet6/ip6_output.c 2023/08/03 05:45:36 1.234
+++ src/sys/netinet6/ip6_output.c 2024/04/19 00:55:35 1.235
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ip6_output.c,v 1.234 2023/08/03 05:45:36 ozaki-r Exp $ */ 1/* $NetBSD: ip6_output.c,v 1.235 2024/04/19 00:55:35 riastradh Exp $ */
2/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ 2/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
3 3
4/* 4/*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * Redistribution and use in source and binary forms, with or without 8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions 9 * modification, are permitted provided that the following conditions
10 * are met: 10 * are met:
11 * 1. Redistributions of source code must retain the above copyright 11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer. 12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright 13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the 14 * notice, this list of conditions and the following disclaimer in the
@@ -52,27 +52,27 @@ @@ -52,27 +52,27 @@
52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
59 * SUCH DAMAGE. 59 * SUCH DAMAGE.
60 * 60 *
61 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 61 * @(#)ip_output.c 8.3 (Berkeley) 1/21/94
62 */ 62 */
63 63
64#include <sys/cdefs.h> 64#include <sys/cdefs.h>
65__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.234 2023/08/03 05:45:36 ozaki-r Exp $"); 65__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.235 2024/04/19 00:55:35 riastradh Exp $");
66 66
67#ifdef _KERNEL_OPT 67#ifdef _KERNEL_OPT
68#include "opt_inet.h" 68#include "opt_inet.h"
69#include "opt_inet6.h" 69#include "opt_inet6.h"
70#include "opt_ipsec.h" 70#include "opt_ipsec.h"
71#endif 71#endif
72 72
73#include <sys/param.h> 73#include <sys/param.h>
74#include <sys/malloc.h> 74#include <sys/malloc.h>
75#include <sys/mbuf.h> 75#include <sys/mbuf.h>
76#include <sys/errno.h> 76#include <sys/errno.h>
77#include <sys/socket.h> 77#include <sys/socket.h>
78#include <sys/socketvar.h> 78#include <sys/socketvar.h>
@@ -744,27 +744,27 @@ ip6_output( @@ -744,27 +744,27 @@ ip6_output(
744 * in6_clearscope will touch the addresses only when necessary. 744 * in6_clearscope will touch the addresses only when necessary.
745 */ 745 */
746 in6_clearscope(&ip6->ip6_src); 746 in6_clearscope(&ip6->ip6_src);
747 in6_clearscope(&ip6->ip6_dst); 747 in6_clearscope(&ip6->ip6_dst);
748 748
749 /* 749 /*
750 * If the outgoing packet contains a hop-by-hop options header, 750 * If the outgoing packet contains a hop-by-hop options header,
751 * it must be examined and processed even by the source node. 751 * it must be examined and processed even by the source node.
752 * (RFC 2460, section 4.) 752 * (RFC 2460, section 4.)
753 * 753 *
754 * XXX Is this really necessary? 754 * XXX Is this really necessary?
755 */ 755 */
756 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) { 756 if (ip6->ip6_nxt == IPPROTO_HOPOPTS) {
757 u_int32_t dummy1; /* XXX unused */ 757 u_int32_t dummy1 = 0; /* XXX unused */
758 u_int32_t dummy2; /* XXX unused */ 758 u_int32_t dummy2; /* XXX unused */
759 int hoff = sizeof(struct ip6_hdr); 759 int hoff = sizeof(struct ip6_hdr);
760 760
761 if (ip6_hopopts_input(&dummy1, &dummy2, &m, &hoff)) { 761 if (ip6_hopopts_input(&dummy1, &dummy2, &m, &hoff)) {
762 /* m was already freed at this point */ 762 /* m was already freed at this point */
763 error = EINVAL; 763 error = EINVAL;
764 goto done; 764 goto done;
765 } 765 }
766 766
767 ip6 = mtod(m, struct ip6_hdr *); 767 ip6 = mtod(m, struct ip6_hdr *);
768 } 768 }
769 769
770 /* 770 /*