Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.40 (via patch, requeste...
details: https://anonhg.NetBSD.org/src/rev/703fbea103da
branches: netbsd-1-5
changeset: 490773:703fbea103da
user: he <he%NetBSD.org@localhost>
date: Mon Feb 26 22:59:26 2001 +0000
description:
Pull up revision 1.40 (via patch, requested by itojun):
Tighten IPv6 ND6/dest6 option chasing bounds check.
diffstat:
sys/netinet6/nd6.c | 25 +++++++++++++++++++++----
1 files changed, 21 insertions(+), 4 deletions(-)
diffs (53 lines):
diff -r 014aa841ffa9 -r 703fbea103da sys/netinet6/nd6.c
--- a/sys/netinet6/nd6.c Mon Feb 26 22:59:09 2001 +0000
+++ b/sys/netinet6/nd6.c Mon Feb 26 22:59:26 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: nd6.c,v 1.30.4.1 2000/07/20 00:07:05 itojun Exp $ */
+/* $NetBSD: nd6.c,v 1.30.4.2 2001/02/26 22:59:26 he Exp $ */
/* $KAME: nd6.c,v 1.68 2000/07/02 14:48:02 itojun Exp $ */
/*
@@ -165,8 +165,14 @@
#define ND nd_ifinfo[ifp->if_index]
- /* don't initialize if called twice */
- if (ND.linkmtu)
+ /*
+ * Don't initialize if called twice.
+ * XXX: to detect this, we should choose a member that is never set
+ * before initialization of the ND structure itself. We formaly used
+ * the linkmtu member, which was not suitable because it could be
+ * initialized via "ifconfig mtu".
+ */
+ if (ND.basereachable)
return;
ND.linkmtu = ifindex2ifnet[ifp->if_index]->if_mtu;
@@ -272,6 +278,12 @@
nd_opt = ndopts->nd_opts_search;
+ /* make sure nd_opt_len is inside the buffer */
+ if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
+ bzero(ndopts, sizeof(*ndopts));
+ return NULL;
+ }
+
olen = nd_opt->nd_opt_len << 3;
if (olen == 0) {
/*
@@ -283,7 +295,12 @@
}
ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
- if (!(ndopts->nd_opts_search < ndopts->nd_opts_last)) {
+ if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
+ /* option overruns the end of buffer, invalid */
+ bzero(ndopts, sizeof(*ndopts));
+ return NULL;
+ } else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
+ /* reached the end of options chain */
ndopts->nd_opts_done = 1;
ndopts->nd_opts_search = NULL;
}
Home |
Main Index |
Thread Index |
Old Index