Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 Fix info leak. We are allocating a slot of size:
details: https://anonhg.NetBSD.org/src/rev/1302558691b3
branches: trunk
changeset: 358939:1302558691b3
user: maxv <maxv%NetBSD.org@localhost>
date: Tue Jan 23 10:32:50 2018 +0000
description:
Fix info leak. We are allocating a slot of size:
roundup(sizeof(*nd_opt) + ifp->if_addrlen, 8)
But we are not filling in the padding caused by the roundup, and therefore
several bytes are leaked, in the mbuf we're about to send to the network.
diffstat:
sys/netinet6/icmp6.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diffs (49 lines):
diff -r 336a53efead6 -r 1302558691b3 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c Tue Jan 23 09:21:59 2018 +0000
+++ b/sys/netinet6/icmp6.c Tue Jan 23 10:32:50 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2616,7 +2616,7 @@
{
/* target lladdr option */
struct llentry *ln = NULL;
- int len;
+ int len, pad;
struct nd_opt_hdr *nd_opt;
char *lladdr;
@@ -2625,17 +2625,21 @@
goto nolladdropt;
len = sizeof(*nd_opt) + ifp->if_addrlen;
len = (len + 7) & ~7; /* round by 8 */
+ pad = len - (sizeof(*nd_opt) + ifp->if_addrlen);
+
/* safety check */
if (len + (p - (u_char *)ip6) > maxlen) {
LLE_RUNLOCK(ln);
goto nolladdropt;
}
+
if (ln->la_flags & LLE_VALID) {
nd_opt = (struct nd_opt_hdr *)p;
nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
nd_opt->nd_opt_len = len >> 3;
lladdr = (char *)(nd_opt + 1);
memcpy(lladdr, &ln->ll_addr, ifp->if_addrlen);
+ memset(lladdr + ifp->if_addrlen, 0, pad);
p += len;
}
LLE_RUNLOCK(ln);
Home |
Main Index |
Thread Index |
Old Index