ref: 7ee606d02740831c843a323d35b8a6051b08ad27
parent: ac0af7f9bfff95ae1d9c4633c91d7481b165e74a
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sat Oct 26 13:04:40 EDT 2024
devip: Fix bugus RouteHint* pointer to be passed to ipoput4() The Routehint is embedded into the Translation struct at an offset, so setting the Translation *q pointer to nil results in a non-nil Routehint* pointer passed to ipoput4() generating a crash.
--- a/sys/src/9/ip/icmp.c
+++ b/sys/src/9/ip/icmp.c
@@ -311,6 +311,7 @@
qlock(icmp);
iph = iphtlook(&((Icmppriv*)icmp->priv)->ht, src, recid, dst, recid);
if(iph != nil){+ Routehint *rh;
Translation *q;
int hop = p->ttl;
@@ -320,11 +321,13 @@
hnputs_csum(p->icmpid, q->forward.rport, p->cksum);
/* only use route-hint when from original desination */
- if(memcmp(p->src, q->forward.laddr+IPv4off, IPv4addrlen) != 0)
- q = nil;
+ if(memcmp(p->src, q->forward.laddr+IPv4off, IPv4addrlen) == 0)
+ rh = q;
+ else
+ rh = nil;
qunlock(icmp);
- ipoput4(icmp->f, bp, ifc, hop - 1, p->tos, q);
+ ipoput4(icmp->f, bp, ifc, hop - 1, p->tos, rh);
return;
}
for(c = icmp->conv; (s = *c) != nil; c++){--- a/sys/src/9/ip/udp.c
+++ b/sys/src/9/ip/udp.c
@@ -430,7 +430,9 @@
return;
}
if(iph->trans){+ Routehint *rh;
Translation *q;
+
int hop = uh4->ttl;
if(hop <= 1 || (q = transbackward(udp, iph)) == nil){qunlock(udp);
@@ -442,10 +444,12 @@
hnputs_csum(uh4->udpdport, q->forward.rport, uh4->udpcksum);
/* only use route-hint when from original desination */
- if(memcmp(uh4->udpsrc, q->forward.laddr+IPv4off, IPv4addrlen) != 0)
- q = nil;
+ if(memcmp(uh4->udpsrc, q->forward.laddr+IPv4off, IPv4addrlen) == 0)
+ rh = q;
+ else
+ rh = nil;
qunlock(udp);
- ipoput4(f, bp, ifc, hop - 1, uh4->tos, q);
+ ipoput4(f, bp, ifc, hop - 1, uh4->tos, rh);
return;
}
c = iphconv(iph);
--
⑨