[src/trunk]: src/sys/netinet Make sure the protocol address length equals tha...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b4e04ba3c6b7
branches:  trunk
changeset: 350771:b4e04ba3c6b7
user:      maxv <maxv%NetBSD.org@localhost>
date:      Fri Jan 20 19:21:01 2017 +0000

description:
Make sure the protocol address length equals that of IPv4. Also, make sure
the hardware address length equals that of the interface we received the
packet on. Otherwise a packet could easily set them both to zero and make
the kernel read beyond the allocated mbuf, which is terrible.

Note: for the latter we drop the packet instead of replying, since it is
malformed.

Note: I also added an ugly hack in CARP, since it apparently expects at
least six bytes.

diffstat:

 sys/netinet/if_arp.c |  27 +++++++++++++++------------
 1 files changed, 15 insertions(+), 12 deletions(-)

diffs (69 lines):

diff -r 0df27936771f -r b4e04ba3c6b7 sys/netinet/if_arp.c
--- a/sys/netinet/if_arp.c      Fri Jan 20 17:50:52 2017 +0000
+++ b/sys/netinet/if_arp.c      Fri Jan 20 19:21:01 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_arp.c,v 1.237 2017/01/20 17:50:52 maxv Exp $        */
+/*     $NetBSD: if_arp.c,v 1.238 2017/01/20 19:21:01 maxv Exp $        */
 
 /*-
  * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.237 2017/01/20 17:50:52 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.238 2017/01/20 19:21:01 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -1040,6 +1040,9 @@
                break;
        }
 
+       if (ah->ar_pln != sizeof(struct in_addr))
+               goto drop;
+
        memcpy(&isaddr, ar_spa(ah), sizeof(isaddr));
        memcpy(&itaddr, ar_tpa(ah), sizeof(itaddr));
 
@@ -1060,7 +1063,8 @@
                    ((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) ==
                    (IFF_UP|IFF_RUNNING))) {
                        index++;
-                       if (ia->ia_ifp == rcvif &&
+                       /* XXX: ar_hln? */
+                       if (ia->ia_ifp == rcvif && (ah->ar_hln >= 6) &&
                            carp_iamatch(ia, ar_sha(ah),
                            &count, index)) {
                                break;
@@ -1096,6 +1100,14 @@
                ia4_acquire(ia, &psref_ia);
        pserialize_read_exit(s);
 
+       if (ah->ar_hln != ifp->if_addrlen) {
+               ARP_STATINC(ARP_STAT_RCVBADLEN);
+               log(LOG_WARNING,
+                   "arp from %s: addr len: new %d, i/f %d (ignored)\n",
+                   in_fmtaddr(ipbuf, isaddr), ah->ar_hln, ifp->if_addrlen);
+               goto out;
+       }
+
        if (ia == NULL) {
                ia = in_get_ia_on_iface_psref(isaddr, rcvif, &psref_ia);
                if (ia == NULL) {
@@ -1211,15 +1223,6 @@
        }
 #endif
 
-       if (ifp->if_addrlen != ah->ar_hln) {
-               ARP_STATINC(ARP_STAT_RCVBADLEN);
-               log(LOG_WARNING,
-                   "arp from %s: addr len: new %d, i/f %d (ignored)\n",
-                   in_fmtaddr(ipbuf, isaddr), ah->ar_hln,
-                   ifp->if_addrlen);
-               goto reply;
-       }
-
 #if NTOKEN > 0
        /*
         * XXX uses m_data and assumes the complete answer including