From b538bff38365206f8ba4eef186c59db614b778e5 Mon Sep 17 00:00:00 2001 From: Eric Koldeweij Date: Mon, 26 Apr 2021 10:28:36 +0200 Subject: [PATCH] ip6: Fix crash in ip6_output with debug enabled It turns out the crash only occurs if LWIP_DEBUG is enabled. If the parameter dest is NULL the function tries to find a route using the destination address of the packet instead. If this fails as well a debug message is printed but it is still using dest causing a NULL pointer dereference and crash at src/core/ipv6/ip6.c line 1312. [erik@kryo.se: Apply fix to ip6_output_hinted as well] --- src/core/ipv6/ip6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core/ipv6/ip6.c b/src/core/ipv6/ip6.c index 1288026e..90e90dda 100644 --- a/src/core/ipv6/ip6.c +++ b/src/core/ipv6/ip6.c @@ -1305,6 +1305,7 @@ ip6_output(struct pbuf *p, const ip6_addr_t *src, const ip6_addr_t *dest, ip6_addr_copy_from_packed(src_addr, ip6hdr->src); ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest); netif = ip6_route(&src_addr, &dest_addr); + dest = &dest_addr; } if (netif == NULL) { @@ -1364,6 +1365,7 @@ ip6_output_hinted(struct pbuf *p, const ip6_addr_t *src, const ip6_addr_t *dest, ip6_addr_copy_from_packed(src_addr, ip6hdr->src); ip6_addr_copy_from_packed(dest_addr, ip6hdr->dest); netif = ip6_route(&src_addr, &dest_addr); + dest = &dest_addr; } if (netif == NULL) {