devip: Fix bugus RouteHint* pointer to be passed to ipoput4()

The Routehint is embedded into the Translation struct at an offset, so setting the Translation *q pointer to nil results in a non-nil Routehint* pointer passed to ipoput4() generating a crash.
2025-01-12 11:10:06 +00:00 · 2024-10-26 17:04:40 +00:00 · 2024-10-26 17:04:40 +00:00 · 7ee606d027
commit 7ee606d027
parent ac0af7f9bf
2 changed files with 13 additions and 6 deletions
--- a/sys/src/9/ip/icmp.c
+++ b/sys/src/9/ip/icmp.c
@ -311,6 +311,7 @@ goticmpkt(Proto *icmp, Block *bp, Ipifc *ifc)
 	qlock(icmp);
 	iph = iphtlook(&((Icmppriv*)icmp->priv)->ht, src, recid, dst, recid);
 	if(iph != nil){
+		Routehint *rh;
 		Translation *q;
 		int hop = p->ttl;

@ -320,11 +321,13 @@ goticmpkt(Proto *icmp, Block *bp, Ipifc *ifc)
 		hnputs_csum(p->icmpid, q->forward.rport, p->cksum);

 		/* only use route-hint when from original desination */
-		if(memcmp(p->src, q->forward.laddr+IPv4off, IPv4addrlen) != 0)
-			q = nil;
+		if(memcmp(p->src, q->forward.laddr+IPv4off, IPv4addrlen) == 0)
+			rh = q;
+		else
+			rh = nil;
 		qunlock(icmp);

-		ipoput4(icmp->f, bp, ifc, hop - 1, p->tos, q);
+		ipoput4(icmp->f, bp, ifc, hop - 1, p->tos, rh);
 		return;
 	}
 	for(c = icmp->conv; (s = *c) != nil; c++){
--- a/sys/src/9/ip/udp.c
+++ b/sys/src/9/ip/udp.c
@ -430,7 +430,9 @@ Noconv:
 		return;
 	}
 	if(iph->trans){
+		Routehint *rh;
 		Translation *q;
+
 		int hop = uh4->ttl;
 		if(hop <= 1 || (q = transbackward(udp, iph)) == nil){
 			qunlock(udp);
@ -442,10 +444,12 @@ Noconv:
 		hnputs_csum(uh4->udpdport, q->forward.rport, uh4->udpcksum);

 		/* only use route-hint when from original desination */
-		if(memcmp(uh4->udpsrc, q->forward.laddr+IPv4off, IPv4addrlen) != 0)
-			q = nil;
+		if(memcmp(uh4->udpsrc, q->forward.laddr+IPv4off, IPv4addrlen) == 0)
+			rh = q;
+		else
+			rh = nil;
 		qunlock(udp);
-		ipoput4(f, bp, ifc, hop - 1, uh4->tos, q);
+		ipoput4(f, bp, ifc, hop - 1, uh4->tos, rh);
 		return;
 	}
 	c = iphconv(iph);