Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/sys/net/npf
Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit :
[...]
Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.
[...]
If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.
I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me.
while (nbuf_advance(nbuf, hlen, 0) != NULL) {
[...]
hlen = (ip6e->ip6e_len + 1) << 3;
[...]
npc->npc_hlen += hlen;
}
[continue execution...]
Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail,
and we're not handling this case. npc_hlen got incremented along the way, and
it now points past the end of the mbuf.
Perhaps that's handled properly later, but in all cases, we ought to handle
the error right here instead of processing the packet any further.
Note however that NPF is rather at the end of my TODO list, and I'll come back
to it later.
Maxime
Home |
Main Index |
Thread Index |
Old Index