DragonFlyBSD Kernel Audit
← dashboard
DF-0423

Stale reg_mif_num after MRT6_DEL_MIF: remote NULL-deref panic via PIM REGISTER to freed register mif

Summary

del_m6if(:642-685) zeroes mif6table slot and recomputes nummifs but NEVER resets reg_mif_num. reg_mif_num only cleared in ip6_mrouter_done(:548). If REGISTER mif at index N deleted while phyint mif at M>N exists: nummifs stays M+1, mif6table[N].m6_ifp=NULL. pim6_input guard(:1744) reg_mif_num<nummifs passes (N<M+1). if_simloop(mif6table[reg_mif_num].m6_ifp=NULL,...)(:1842) derefs ifp->if_bpf(if_loop.c:218) -> NULL deref -> kernel panic. Trigger: single unauth remote PIM REGISTER(protocol 103) once pim6=1. RP operating mode.