ip6: Fix crash in ip6_output with debug enabled

It turns out the crash only occurs if LWIP_DEBUG is enabled. If the
parameter dest is NULL the function tries to find a route using the
destination address of the packet instead. If this fails as well a
debug message is printed but it is still using dest causing a NULL
pointer dereference and crash at src/core/ipv6/ip6.c line 1312.

[erik@kryo.se: Apply fix to ip6_output_hinted as well]
This commit is contained in:
Eric Koldeweij 2021-04-26 10:28:36 +02:00 committed by Erik Ekman
parent 2e4932f23b
commit 51265f3f7d

View File

@ -1305,6 +1305,7 @@ ip6_output(struct pbuf *p, const ip6_addr_t *src, const ip6_addr_t *dest,
ip6_addr_copy_from_packed(src_addr, ip6hdr->src); ip6_addr_copy_from_packed(src_addr, ip6hdr->src);
ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest); ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest);
netif = ip6_route(&src_addr, &dest_addr); netif = ip6_route(&src_addr, &dest_addr);
dest = &dest_addr;
} }
if (netif == NULL) { if (netif == NULL) {
@ -1364,6 +1365,7 @@ ip6_output_hinted(struct pbuf *p, const ip6_addr_t *src, const ip6_addr_t *dest,
ip6_addr_copy_from_packed(src_addr, ip6hdr->src); ip6_addr_copy_from_packed(src_addr, ip6hdr->src);
ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest); ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest);
netif = ip6_route(&src_addr, &dest_addr); netif = ip6_route(&src_addr, &dest_addr);
dest = &dest_addr;
} }
if (netif == NULL) { if (netif == NULL) {