diff options
author | Mark Johnston <markj@FreeBSD.org> | 2024-02-02 18:58:37 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2024-02-09 14:56:02 +0000 |
commit | a9ef2c901a8b7101414a6bb778f991e9cb3b50c9 (patch) | |
tree | 2203dec62c4bdaa6c771c206db681346fd5119dc | |
parent | 323226829ae79094a29198efcc6913a7b48c05ca (diff) | |
download | src-a9ef2c901a8b7101414a6bb778f991e9cb3b50c9.tar.gz src-a9ef2c901a8b7101414a6bb778f991e9cb3b50c9.zip |
socket: Don't assume m0 != NULL in sbappendcontrol_locked()
Some callers (e.g., ktls_decrypt()) violate this assumption and thus
could trigger a NULL pointer dereference in KMSAN kernels.
Reported by: glebius
Fixes: ec45f952a232 ("sockbuf: Add KMSAN checks to sbappend*()")
MFC after: 1 week
(cherry picked from commit 30f8cb812e27d8ab40a2c0669ac20a8ee45a7c56)
-rw-r--r-- | sys/kern/uipc_sockbuf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index e76f198f42dc..406fdca11b47 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -1328,7 +1328,8 @@ sbappendcontrol_locked(struct sockbuf *sb, struct mbuf *m0, { struct mbuf *m, *mlast; - kmsan_check_mbuf(m0, "sbappend"); + if (m0 != NULL) + kmsan_check_mbuf(m0, "sbappend"); kmsan_check_mbuf(control, "sbappend"); sbm_clrprotoflags(m0, flags); |