Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
src: Fix 'icmp6len', it shouldn't be ip6_plen, because we may no...
details: https://anonhg.NetBSD.org/src/rev/5bf8d26f4ff5
branches: trunk
changeset: 318185:5bf8d26f4ff5
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Apr 14 17:55:47 2018 +0000
description:
Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the
beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By
luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer
overflows in non-jumbogram packets.
For jumbograms we will probably be in trouble here; but it doesn't seem
possible to craft reliably a jumbogram for a non-jumbogram-enabled device.
So I don't think it's a huge problem.
diffstat:
sys/netinet6/icmp6.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diffs (27 lines):
diff -r ed512b6f72ff -r 5bf8d26f4ff5 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c Sat Apr 14 17:52:51 2018 +0000
+++ b/sys/netinet6/icmp6.c Sat Apr 14 17:55:47 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2224,7 +2224,7 @@
struct ifnet *ifp;
struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
struct nd_redirect *nd_rd;
- int icmp6len = ntohs(ip6->ip6_plen);
+ int icmp6len = m->m_pkthdr.len - off;
char *lladdr = NULL;
int lladdrlen = 0;
struct rtentry *rt = NULL;
Home |
Main Index |
Thread Index |
Old Index