Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Several fixes in L2TP:
details: https://anonhg.NetBSD.org/src/rev/f0baef90d97d
branches: trunk
changeset: 359032:f0baef90d97d
user: maxv <maxv%NetBSD.org@localhost>
date: Fri Jan 26 07:49:15 2018 +0000
description:
Several fixes in L2TP:
* l2tp_input(): use m_copydata, and ensure there is enough space in the
chain. Otherwise overflow.
* l2tp_tcpmss_clamp(): ensure there is enough space in the chain.
* in_l2tp_output(): don't check 'sc' against NULL, it can't be NULL.
* in_l2tp_input(): no need to call m_pullup since we use m_copydata.
Just check the space in the chain.
* in_l2tp_input(): if there is a cookie, make sure the chain has enough
space.
* in6_l2tp_input(): same changes as in_l2tp_input().
Ok knakahara@
diffstat:
sys/net/if_l2tp.c | 19 ++++++++++++++++---
sys/netinet/in_l2tp.c | 24 ++++++++++++------------
sys/netinet6/in6_l2tp.c | 22 ++++++++++++----------
3 files changed, 40 insertions(+), 25 deletions(-)
diffs (159 lines):
diff -r 09e5a8a8ef59 -r f0baef90d97d sys/net/if_l2tp.c
--- a/sys/net/if_l2tp.c Fri Jan 26 06:49:02 2018 +0000
+++ b/sys/net/if_l2tp.c Fri Jan 26 07:49:15 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_l2tp.c,v 1.18 2018/01/25 10:33:37 maxv Exp $ */
+/* $NetBSD: if_l2tp.c,v 1.19 2018/01/26 07:49:15 maxv Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_l2tp.c,v 1.18 2018/01/25 10:33:37 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_l2tp.c,v 1.19 2018/01/26 07:49:15 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -465,10 +465,18 @@
void
l2tp_input(struct mbuf *m, struct ifnet *ifp)
{
+ u_long val;
KASSERT(ifp != NULL);
- if (0 == (mtod(m, u_long) & 0x03)) {
+ if (m->m_pkthdr.len < sizeof(val)) {
+ m_freem(m);
+ return;
+ }
+
+ m_copydata(m, 0, sizeof(val), &val);
+
+ if ((val & 0x03) == 0) {
/* copy and align head of payload */
struct mbuf *m_head;
int copy_length;
@@ -1375,6 +1383,11 @@
return m;
}
+ if (m->m_pkthdr.len < sizeof(evh)) {
+ m_freem(m);
+ return NULL;
+ }
+
/* save ether header */
m_copydata(m, 0, sizeof(evh), (void *)&evh);
eh = (struct ether_header *)&evh;
diff -r 09e5a8a8ef59 -r f0baef90d97d sys/netinet/in_l2tp.c
--- a/sys/netinet/in_l2tp.c Fri Jan 26 06:49:02 2018 +0000
+++ b/sys/netinet/in_l2tp.c Fri Jan 26 07:49:15 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_l2tp.c,v 1.11 2018/01/25 10:45:58 maxv Exp $ */
+/* $NetBSD: in_l2tp.c,v 1.12 2018/01/26 07:49:15 maxv Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_l2tp.c,v 1.11 2018/01/25 10:45:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_l2tp.c,v 1.12 2018/01/26 07:49:15 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_l2tp.h"
@@ -103,9 +103,6 @@
&& sin_dst->sin_family == AF_INET);
sc = var->lv_softc;
- if (sc == NULL)
- return ENETUNREACH;
-
ifp = &sc->l2tp_ec.ec_if;
error = l2tp_check_nesting(ifp, m);
if (error) {
@@ -262,13 +259,12 @@
struct psref psref;
struct l2tp_variant *var;
- if (m->m_len < off + sizeof(uint32_t)) {
- m = m_pullup(m, off + sizeof(uint32_t));
- if (!m) {
- /* if payload length < 4 octets */
- return;
- }
- }
+ KASSERT((m->m_flags & M_PKTHDR) != 0);
+
+ if (m->m_pkthdr.len < off + sizeof(uint32_t)) {
+ m_freem(m);
+ return;
+ }
/* get L2TP session ID */
m_copydata(m, off, sizeof(uint32_t), (void *)&sess_id);
@@ -322,6 +318,10 @@
m_adj(m, off + sizeof(uint32_t));
if (var->lv_use_cookie == L2TP_COOKIE_ON) {
+ if (m->m_pkthdr.len < var->lv_my_cookie_len) {
+ m_freem(m);
+ goto out;
+ }
if (var->lv_my_cookie_len == 4) {
m_copydata(m, 0, sizeof(uint32_t), (void *)&cookie_32);
NTOHL(cookie_32);
diff -r 09e5a8a8ef59 -r f0baef90d97d sys/netinet6/in6_l2tp.c
--- a/sys/netinet6/in6_l2tp.c Fri Jan 26 06:49:02 2018 +0000
+++ b/sys/netinet6/in6_l2tp.c Fri Jan 26 07:49:15 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_l2tp.c,v 1.13 2018/01/25 10:45:58 maxv Exp $ */
+/* $NetBSD: in6_l2tp.c,v 1.14 2018/01/26 07:49:15 maxv Exp $ */
/*
* Copyright (c) 2017 Internet Initiative Japan Inc.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_l2tp.c,v 1.13 2018/01/25 10:45:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_l2tp.c,v 1.14 2018/01/26 07:49:15 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_l2tp.h"
@@ -253,14 +253,12 @@
uint64_t cookie_64;
struct psref psref;
- if (m->m_len < off + sizeof(uint32_t)) {
- m = m_pullup(m, off + sizeof(uint32_t));
- if (!m) {
- /* if payload length < 4 octets */
- return IPPROTO_DONE;
- }
- *mp = m;
- }
+ KASSERT((m->m_flags & M_PKTHDR) != 0);
+
+ if (m->m_pkthdr.len < off + sizeof(uint32_t)) {
+ m_freem(m);
+ return IPPROTO_DONE;
+ }
/* get L2TP session ID */
m_copydata(m, off, sizeof(uint32_t), (void *)&sess_id);
@@ -312,6 +310,10 @@
m_adj(m, off + sizeof(uint32_t));
if (var->lv_use_cookie == L2TP_COOKIE_ON) {
+ if (m->m_pkthdr.len < var->lv_my_cookie_len) {
+ m_freem(m);
+ goto out;
+ }
if (var->lv_my_cookie_len == 4) {
m_copydata(m, 0, sizeof(uint32_t), (void *)&cookie_32);
NTOHL(cookie_32);
Home |
Main Index |
Thread Index |
Old Index