From 8a75dc3b44a7c0c730fab22b30858010a52f3116 Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 27 Nov 2025 21:54:28 +0000 Subject: [PATCH] Ignore any iterator when traversing nd6 list. nd6_rtrequest() could crash with a NULL pointer dereference if an interator in nd6_list was inspected. Skip freeing neigbor discovery entries and optimization in this unlikely case and try again later. reported by Mischa and Anton Kasimov; OK mvs@ --- sys/netinet6/nd6.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index e4caf8184a4..58bcc1f809f 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6.c,v 1.304 2025/11/12 11:37:08 bluhm Exp $ */ +/* $OpenBSD: nd6.c,v 1.305 2025/11/27 21:54:28 bluhm Exp $ */ /* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */ /* @@ -829,6 +829,9 @@ nd6_rtrequest(struct ifnet *ifp, int req, struct rtentry *rt) ln_end = TAILQ_LAST(&nd6_list, llinfo_nd6_head); if (ln_end == ln) break; + /* cannot move the iterator, try next time */ + if (ln_end->ln_rt == NULL) + break; /* Move this entry to the head */ TAILQ_REMOVE(&nd6_list, ln_end, ln_list);