aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2024-02-02 18:58:37 +0000
committerMark Johnston <markj@FreeBSD.org>2024-02-09 14:56:02 +0000
commita9ef2c901a8b7101414a6bb778f991e9cb3b50c9 (patch)
tree2203dec62c4bdaa6c771c206db681346fd5119dc
parent323226829ae79094a29198efcc6913a7b48c05ca (diff)
downloadsrc-a9ef2c901a8b7101414a6bb778f991e9cb3b50c9.tar.gz
src-a9ef2c901a8b7101414a6bb778f991e9cb3b50c9.zip
socket: Don't assume m0 != NULL in sbappendcontrol_locked()
Some callers (e.g., ktls_decrypt()) violate this assumption and thus could trigger a NULL pointer dereference in KMSAN kernels. Reported by: glebius Fixes: ec45f952a232 ("sockbuf: Add KMSAN checks to sbappend*()") MFC after: 1 week (cherry picked from commit 30f8cb812e27d8ab40a2c0669ac20a8ee45a7c56)
-rw-r--r--sys/kern/uipc_sockbuf.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index e76f198f42dc..406fdca11b47 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -1328,7 +1328,8 @@ sbappendcontrol_locked(struct sockbuf *sb, struct mbuf *m0,
{
struct mbuf *m, *mlast;
- kmsan_check_mbuf(m0, "sbappend");
+ if (m0 != NULL)
+ kmsan_check_mbuf(m0, "sbappend");
kmsan_check_mbuf(control, "sbappend");
sbm_clrprotoflags(m0, flags);