CVS commit: src/sys/external/bsd/ipf/netinet

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/sys/external/bsd/ipf/netinet
From: "Christos Zoulas" <christos%netbsd.org@localhost>
Date: Fri, 3 Feb 2023 14:01:08 -0500

Module Name:    src
Committed By:   christos
Date:           Fri Feb  3 19:01:08 UTC 2023

Modified Files:
        src/sys/external/bsd/ipf/netinet: fil.c

Log Message:
Fix use after free on packet with broken lengths

Under the scenario with a packet with length of 67 bytes, a header length
using the default of 20 bytes and a TCP data offset (th_off) of 48 will
cause m_pullup() to fail to make sure bytes are arranged contiguously.
m_pullup() will free the mbuf chain and return a null. ipfilter stores
the resultant mbuf address (or the resulting NULL) in its fr_info_t
structure. Unfortunately the erroneous packet is not flagged for drop.
>From FreeBSD via CY Schubert; originally reported by: Robert Morris
<rtm at lcs.mit.edu>


To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 src/sys/external/bsd/ipf/netinet/fil.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/etc/iscsi
Next by Date: CVS commit: src/lib/libedit
Previous by Thread: CVS commit: src/etc/iscsi
Next by Thread: CVS commit: src/lib/libedit
Indexes:

Home | Main Index | Thread Index | Old Index