Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-9]: src/sys/netinet6 Pull up following revision(s) (requested by ...



details:   https://anonhg.NetBSD.org/src/rev/fe8aec63c77a
branches:  netbsd-9
changeset: 462799:fe8aec63c77a
user:      martin <martin%NetBSD.org@localhost>
date:      Sat Nov 16 17:01:45 2019 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #432):

        sys/netinet6/ip6_input.c: revision 1.215

Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.

Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.

diffstat:

 sys/netinet6/ip6_input.c |  12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)

diffs (46 lines):

diff -r 12887fa9aa37 -r fe8aec63c77a sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Sat Nov 16 16:59:15 2019 +0000
+++ b/sys/netinet6/ip6_input.c  Sat Nov 16 17:01:45 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $       */
+/*     $NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $       */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -1056,6 +1056,8 @@
 #define IS2292(x, y)   (y)
 #endif
 
+       KASSERT(m->m_flags & M_PKTHDR);
+
        if (SOOPT_TIMESTAMP(so->so_options))
                mp = sbsavetimestamp(so->so_options, mp);
 
@@ -1297,12 +1299,18 @@
        size_t elen;
        struct mbuf *n;
 
+       if (off + sizeof(ip6e) > m->m_pkthdr.len)
+               return NULL;
+
        m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
        if (nxt == IPPROTO_AH)
                elen = (ip6e.ip6e_len + 2) << 2;
        else
                elen = (ip6e.ip6e_len + 1) << 3;
 
+       if (off + elen > m->m_pkthdr.len)
+               return NULL;
+
        MGET(n, M_DONTWAIT, MT_DATA);
        if (n && elen >= MLEN) {
                MCLGET(n, M_DONTWAIT);



Home | Main Index | Thread Index | Old Index