1
0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2025-01-18 12:52:44 +01:00

gnrc_ipv6_ext: don't read from pkt->data after _demux()

`_demux()` might change `pkt->data` in all kind of ways (moving it due
to `gnrc_pktbuf_mark()`, though unlikely; releasing it, because e.g. it
starts with a fragment header that marks a fragmented packet containing
only one fragment, etc.) so accessing the pointer *after* calling
`_demux()` is somewhat playing with fire. This change avoids this by
storing the value of `ext_hdr->nh` (all we are interested in here) in a
temporary variable that then is used to set the out-parameter `nh`.

`protnum` needs to be unchanged before the call to `_demux()` as it was
set by the previous iteration and determines what extension header
actually is handled.
This commit is contained in:
Martine Lenders 2019-05-24 22:03:35 +02:00
parent 1dcd3b6a08
commit ea1708b402

View File

@ -109,17 +109,19 @@ gnrc_pktsnip_t *gnrc_ipv6_ext_process_all(gnrc_pktsnip_t *pkt,
case PROTNUM_IPV6_EXT_ESP:
case PROTNUM_IPV6_EXT_MOB: {
ipv6_ext_t *ext_hdr;
uint8_t nh;
DEBUG("ipv6: handle extension header (protnum = %u)\n",
*protnum);
ext_hdr = pkt->data;
nh = ext_hdr->nh;
if ((pkt = _demux(pkt, *protnum)) == NULL) {
DEBUG("ipv6: packet was consumed by extension header "
"handling\n");
return NULL;
}
*protnum = ext_hdr->nh;
if (_duplicate_hopopt(pkt, *protnum)) {
*protnum = nh;
if (_duplicate_hopopt(pkt, nh)) {
return NULL;
}
break;