gnrc_ipv6: fix SEGFAULT when multicasting with multiple interfaces

When writing to the IPv6 header the implementation currently doesn't take the packet with the (potentially) duplicated header, but the packet with the original one, which leads to the packet sent and then released in `gnrc_netif_ethernet.c` first and then accessed again in further iterations of the "writing to the IPv6 header" loop, which causes access to an invalid pointer, causing a crash. Fixes #11980
2025-01-18 12:52:44 +01:00 · 2019-10-20 12:37:55 +02:00 · 2019-10-20 12:37:55 +02:00 · ce14ee1f77
commit ce14ee1f77
parent 5db4310b45
1 changed files with 12 additions and 7 deletions
--- a/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
+++ b/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
@ -563,28 +563,33 @@ static void _send_multicast(gnrc_pktsnip_t *pkt, bool prep_hdr,
        gnrc_pktbuf_hold(pkt, ifnum - 1);

        while ((netif = gnrc_netif_iter(netif))) {
+            gnrc_pktsnip_t *send_pkt = pkt;
+            /* for !prep_hdr just use pkt as we don't duplicate IPv6 header as
+             * it is already filled and thus isn't filled with potentially
+             * interface-specific data */
            if (prep_hdr) {
                DEBUG("ipv6: prepare IPv6 header for sending\n");
                /* need to get second write access (duplication) to fill IPv6
-                 * header interface-local */
-                gnrc_pktsnip_t *tmp = gnrc_pktbuf_start_write(pkt);
+                 * header with interface-specific data */
+                send_pkt = gnrc_pktbuf_start_write(pkt);

-                if (tmp == NULL) {
+                if (send_pkt == NULL) {
                    DEBUG("ipv6: unable to get write access to IPv6 header, "
                          "for interface %" PRIkernel_pid "\n", netif->pid);
                    gnrc_pktbuf_release(pkt);
                    return;
                }
-                if (_fill_ipv6_hdr(netif, tmp) < 0) {
+                if (_fill_ipv6_hdr(netif, send_pkt) < 0) {
                    /* error on filling up header */
-                    if (tmp != pkt) {
-                        gnrc_pktbuf_release(tmp);
+                    if (send_pkt != pkt) {
+                        gnrc_pktbuf_release(send_pkt);
                    }
                    gnrc_pktbuf_release(pkt);
                    return;
                }
            }
-            _send_multicast_over_iface(pkt, prep_hdr, netif, netif_hdr_flags);
+            _send_multicast_over_iface(send_pkt, prep_hdr, netif,
+                                       netif_hdr_flags);
        }
    }
    else {