sys/netinet6: fix memory corruption in in6_ifadd

The routine allocates the wrong size and then passes it to in6_get_ifid.

At the same time it violates invariants by issuing malloc with M_WAITOK
while within net epoch section.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Mateusz Guzik
2025-09-29 15:01:53 +00:00
committed by Kristof Provost
parent a733ea831a
commit f9fc93690a
+2 -3
View File
@@ -1243,9 +1243,8 @@ in6_ifadd(struct nd_prefixctl *pr, int mcast)
/* No suitable LL address, get the ifid directly */
if (ifid_addr == NULL) {
struct in6_addr taddr;
ifa = ifa_alloc(sizeof(taddr), M_WAITOK);
if (ifa) {
ifa = ifa_alloc(sizeof(struct in6_ifaddr), M_NOWAIT);
if (ifa != NULL) {
ib = (struct in6_ifaddr *)ifa;
ifid_addr = &ib->ia_addr.sin6_addr;
if(in6_get_ifid(ifp, NULL, ifid_addr) != 0) {