From ce14ee1f7702fec43b682c850da66285ca164ff0 Mon Sep 17 00:00:00 2001
From: Martine Lenders <m.lenders@fu-berlin.de>
Date: Sun, 20 Oct 2019 12:37:55 +0200
Subject: [PATCH] gnrc_ipv6: fix SEGFAULT when multicasting with multiple
 interfaces

When writing to the IPv6 header the implementation currently doesn't
take the packet with the (potentially) duplicated header, but the
packet with the original one, which leads to the packet sent and then
released in `gnrc_netif_ethernet.c` first and then accessed again in
further iterations of the "writing to the IPv6 header" loop, which
causes access to an invalid pointer, causing a crash.

Fixes #11980
---
 sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c b/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
index 9e1bd1b159..f136f96e9a 100644
--- a/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
+++ b/sys/net/gnrc/network_layer/ipv6/gnrc_ipv6.c
@@ -563,28 +563,33 @@ static void _send_multicast(gnrc_pktsnip_t *pkt, bool prep_hdr,
         gnrc_pktbuf_hold(pkt, ifnum - 1);
 
         while ((netif = gnrc_netif_iter(netif))) {
+            gnrc_pktsnip_t *send_pkt = pkt;
+            /* for !prep_hdr just use pkt as we don't duplicate IPv6 header as
+             * it is already filled and thus isn't filled with potentially
+             * interface-specific data */
             if (prep_hdr) {
                 DEBUG("ipv6: prepare IPv6 header for sending\n");
                 /* need to get second write access (duplication) to fill IPv6
-                 * header interface-local */
-                gnrc_pktsnip_t *tmp = gnrc_pktbuf_start_write(pkt);
+                 * header with interface-specific data */
+                send_pkt = gnrc_pktbuf_start_write(pkt);
 
-                if (tmp == NULL) {
+                if (send_pkt == NULL) {
                     DEBUG("ipv6: unable to get write access to IPv6 header, "
                           "for interface %" PRIkernel_pid "\n", netif->pid);
                     gnrc_pktbuf_release(pkt);
                     return;
                 }
-                if (_fill_ipv6_hdr(netif, tmp) < 0) {
+                if (_fill_ipv6_hdr(netif, send_pkt) < 0) {
                     /* error on filling up header */
-                    if (tmp != pkt) {
-                        gnrc_pktbuf_release(tmp);
+                    if (send_pkt != pkt) {
+                        gnrc_pktbuf_release(send_pkt);
                     }
                     gnrc_pktbuf_release(pkt);
                     return;
                 }
             }
-            _send_multicast_over_iface(pkt, prep_hdr, netif, netif_hdr_flags);
+            _send_multicast_over_iface(send_pkt, prep_hdr, netif,
+                                       netif_hdr_flags);
         }
     }
     else {