[src/trunk]: src/sys/netinet6 in6: make sure a user-specified checksum field ...

[ozaki-r <ozaki-r%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c1a016cecfd4
branches:  trunk
changeset: 373946:c1a016cecfd4
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Wed Mar 22 03:17:18 2023 +0000

description:
in6: make sure a user-specified checksum field is within a packet

>From OpenBSD

diffstat:

 sys/netinet6/raw_ip6.c |  17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

diffs (45 lines):

diff -r dd8f821e90e6 -r c1a016cecfd4 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Tue Mar 21 22:07:29 2023 +0000
+++ b/sys/netinet6/raw_ip6.c    Wed Mar 22 03:17:18 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $    */
+/*     $NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $    */
 /*     $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $        */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -202,7 +202,16 @@
                        continue;
                if (in6p_cksum(inp) != -1) {
                        RIP6_STATINC(RIP6_STAT_ISUM);
-                       if (in6_cksum(m, proto, *offp,
+                       /*
+                        * Although in6_cksum() does not need the position of
+                        * the checksum field for verification, enforce that it
+                        * is located within the packet.  Userland has given
+                        * a checksum offset, a packet too short for that is
+                        * invalid.  Avoid overflow with user supplied offset.
+                        */
+                       if (m->m_pkthdr.len < *offp + 2 ||
+                           m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) ||
+                           in6_cksum(m, proto, *offp,
                            m->m_pkthdr.len - *offp)) {
                                RIP6_STATINC(RIP6_STAT_BADSUM);
                                continue;
@@ -470,7 +479,7 @@
                        off = offsetof(struct icmp6_hdr, icmp6_cksum);
                else
                        off = in6p_cksum(inp);
-               if (plen < off + 1) {
+               if (plen < 2 || plen - 2 < off) {
                        error = EINVAL;
                        goto bad;
                }