[src/trunk]: src/sys/netinet Add one more check in ip_reass_packet(): make su...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/netinet Add one more check in ip_reass_packet(): make su...
From: maxv <maxv%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 21:51:32 +0000

details:   https://anonhg.NetBSD.org/src/rev/af18d5d9b376
branches:  trunk
changeset: 359294:af18d5d9b376
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Feb 06 15:48:02 2018 +0000

description:
Add one more check in ip_reass_packet(): make sure that the end of each
fragment does not exceed IP_MAXPACKET.

In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.

But there is an integer overflow that can happen a little earlier. We
are doing:

        i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
            ntohs(ip->ip_off);
        [...]
        ip->ip_off = htons(ntohs(ip->ip_off) + i);

It is possible that

        ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535

so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.

With the new check, it is guaranteed that ip_off+ip_len<=65535.

diffstat:

 sys/netinet/ip_reass.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (30 lines):

diff -r 8eb830468802 -r af18d5d9b376 sys/netinet/ip_reass.c
--- a/sys/netinet/ip_reass.c    Tue Feb 06 13:26:32 2018 +0000
+++ b/sys/netinet/ip_reass.c    Tue Feb 06 15:48:02 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $    */
+/*     $NetBSD: ip_reass.c,v 1.12 2018/02/06 15:48:02 maxv Exp $       */
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.12 2018/02/06 15:48:02 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -629,6 +629,11 @@
                return EINVAL;
        }
 
+       if (off + len > IP_MAXPACKET) {
+               IP_STATINC(IP_STAT_BADFRAGS);
+               return EINVAL;
+       }
+
        /*
         * Fragment length and MF flag.  Make sure that fragments have
         * a data length which is non-zero and multiple of 8 bytes.

Prev by Date: [src/trunk]: src/sys/modules/pf Avoid gcc 6 specific options when compiling w...
Next by Date: [src/trunk]: src/sys/dev/ic Remove misplaced semicolon, found by GCC 6.
Previous by Thread: [src/trunk]: src/sys/modules/pf Avoid gcc 6 specific options when compiling w...
Next by Thread: [src/trunk]: src/sys/dev/ic Remove misplaced semicolon, found by GCC 6.
Indexes:

Home | Main Index | Thread Index | Old Index