gnrc_ipv6: fix SEGFAULT when multicasting with multiple interfaces

When writing to the IPv6 header the implementation currently doesn't take the packet with the (potentially) duplicated header, but the packet with the original one, which leads to the packet sent and then released in `gnrc_netif_ethernet.c` first and then accessed again in further iterations of the "writing to the IPv6 header" loop, which causes access to an invalid pointer, causing a crash. Fixes #11980 (cherry picked from commit ce14ee1)
RIOT-OS · Oct 21, 2019 · e95bb17 · e95bb17
1 parent 24398b8
commit e95bb17
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c b/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
@@ -563,28 +563,33 @@ static void _send_multicast(gnrc_pktsnip_t *pkt, bool prep_hdr,
         gnrc_pktbuf_hold(pkt, ifnum - 1);
 
         while ((netif = gnrc_netif_iter(netif))) {
+            gnrc_pktsnip_t *send_pkt = pkt;
+            /* for !prep_hdr just use pkt as we don't duplicate IPv6 header as
+             * it is already filled and thus isn't filled with potentially
+             * interface-specific data */
             if (prep_hdr) {
                 DEBUG("ipv6: prepare IPv6 header for sending\n");
                 /* need to get second write access (duplication) to fill IPv6
-                 * header interface-local */
-                gnrc_pktsnip_t *tmp = gnrc_pktbuf_start_write(pkt);
+                 * header with interface-specific data */
+                send_pkt = gnrc_pktbuf_start_write(pkt);
 
-                if (tmp == NULL) {
+                if (send_pkt == NULL) {
                     DEBUG("ipv6: unable to get write access to IPv6 header, "
                           "for interface %" PRIkernel_pid "\n", netif->pid);
                     gnrc_pktbuf_release(pkt);
                     return;
                 }
-                if (_fill_ipv6_hdr(netif, tmp) < 0) {
+                if (_fill_ipv6_hdr(netif, send_pkt) < 0) {
                     /* error on filling up header */
-                    if (tmp != pkt) {
-                        gnrc_pktbuf_release(tmp);
+                    if (send_pkt != pkt) {
+                        gnrc_pktbuf_release(send_pkt);
                     }
                     gnrc_pktbuf_release(pkt);
                     return;
                 }
             }
-            _send_multicast_over_iface(pkt, prep_hdr, netif, netif_hdr_flags);
+            _send_multicast_over_iface(send_pkt, prep_hdr, netif,
+                                       netif_hdr_flags);
         }
     }
     else {