From ea1708b402f7d3ea689f6b9559fe0563d63f8410 Mon Sep 17 00:00:00 2001 From: Martine Lenders Date: Fri, 24 May 2019 22:03:35 +0200 Subject: [PATCH] gnrc_ipv6_ext: don't read from `pkt->data` after `_demux()` `_demux()` might change `pkt->data` in all kind of ways (moving it due to `gnrc_pktbuf_mark()`, though unlikely; releasing it, because e.g. it starts with a fragment header that marks a fragmented packet containing only one fragment, etc.) so accessing the pointer *after* calling `_demux()` is somewhat playing with fire. This change avoids this by storing the value of `ext_hdr->nh` (all we are interested in here) in a temporary variable that then is used to set the out-parameter `nh`. `protnum` needs to be unchanged before the call to `_demux()` as it was set by the previous iteration and determines what extension header actually is handled. --- sys/net/gnrc/network_layer/ipv6/ext/gnrc_ipv6_ext.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/net/gnrc/network_layer/ipv6/ext/gnrc_ipv6_ext.c b/sys/net/gnrc/network_layer/ipv6/ext/gnrc_ipv6_ext.c index e7c60634fb..441b646e96 100644 --- a/sys/net/gnrc/network_layer/ipv6/ext/gnrc_ipv6_ext.c +++ b/sys/net/gnrc/network_layer/ipv6/ext/gnrc_ipv6_ext.c @@ -109,17 +109,19 @@ gnrc_pktsnip_t *gnrc_ipv6_ext_process_all(gnrc_pktsnip_t *pkt, case PROTNUM_IPV6_EXT_ESP: case PROTNUM_IPV6_EXT_MOB: { ipv6_ext_t *ext_hdr; + uint8_t nh; DEBUG("ipv6: handle extension header (protnum = %u)\n", *protnum); ext_hdr = pkt->data; + nh = ext_hdr->nh; if ((pkt = _demux(pkt, *protnum)) == NULL) { DEBUG("ipv6: packet was consumed by extension header " "handling\n"); return NULL; } - *protnum = ext_hdr->nh; - if (_duplicate_hopopt(pkt, *protnum)) { + *protnum = nh; + if (_duplicate_hopopt(pkt, nh)) { return NULL; } break;