Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netinet6 Add more checks in ip6_pullexthdr, to prevent a...



details:   https://anonhg.NetBSD.org/src/rev/bbb30c0cb1a3
branches:  trunk
changeset: 460978:bbb30c0cb1a3
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue Nov 12 08:11:55 2019 +0000

description:
Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.

Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.

Reported-by: syzbot+3b07b3511b4ceb8bf1e2%syzkaller.appspotmail.com@localhost

diffstat:

 sys/netinet6/ip6_input.c |  12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diffs (46 lines):

diff -r 93048f083f59 -r bbb30c0cb1a3 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Tue Nov 12 07:41:50 2019 +0000
+++ b/sys/netinet6/ip6_input.c  Tue Nov 12 08:11:55 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $  */
+/*     $NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $     */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -1056,6 +1056,8 @@
 #define IS2292(x, y)   (y)
 #endif
 
+       KASSERT(m->m_flags & M_PKTHDR);
+
        if (SOOPT_TIMESTAMP(so->so_options))
                mp = sbsavetimestamp(so->so_options, mp);
 
@@ -1297,12 +1299,18 @@
        size_t elen;
        struct mbuf *n;
 
+       if (off + sizeof(ip6e) > m->m_pkthdr.len)
+               return NULL;
+
        m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
        if (nxt == IPPROTO_AH)
                elen = (ip6e.ip6e_len + 2) << 2;
        else
                elen = (ip6e.ip6e_len + 1) << 3;
 
+       if (off + elen > m->m_pkthdr.len)
+               return NULL;
+
        MGET(n, M_DONTWAIT, MT_DATA);
        if (n && elen >= MLEN) {
                MCLGET(n, M_DONTWAIT);



Home | Main Index | Thread Index | Old Index