Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-10]: src/sys/netinet6 Pull up following revision(s) (requested by...



details:   https://anonhg.NetBSD.org/src/rev/e0d74d7979b0
branches:  netbsd-10
changeset: 373982:e0d74d7979b0
user:      martin <martin%NetBSD.org@localhost>
date:      Thu Mar 23 12:03:04 2023 +0000

description:
Pull up following revision(s) (requested by ozaki-r in ticket #125):

        sys/netinet6/raw_ip6.c: revision 1.183
        sys/netinet6/ip6_output.c: revision 1.233

in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.

in6: make sure a user-specified checksum field is within a packet
>From OpenBSD

diffstat:

 sys/netinet6/ip6_output.c |  12 ++++++++----
 sys/netinet6/raw_ip6.c    |  17 +++++++++++++----
 2 files changed, 21 insertions(+), 8 deletions(-)

diffs (78 lines):

diff -r b4726bf124d5 -r e0d74d7979b0 sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Wed Mar 22 19:01:56 2023 +0000
+++ b/sys/netinet6/ip6_output.c Thu Mar 23 12:03:04 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $ */
+/*     $NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $      */
 /*     $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $    */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1986,8 +1986,12 @@ ip6_raw_ctloutput(int op, struct socket 
                        error = sockopt_getint(sopt, &optval);
                        if (error)
                                break;
-                       if ((optval % 2) != 0) {
-                               /* the API assumes even offset values */
+                       if (optval < -1 ||
+                           (optval > 0 && (optval % 2) != 0)) {
+                               /*
+                                * The API assumes non-negative even offset
+                                * values or -1 as a special value.
+                                */
                                error = EINVAL;
                        } else if (so->so_proto->pr_protocol ==
                            IPPROTO_ICMPV6) {
diff -r b4726bf124d5 -r e0d74d7979b0 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c    Wed Mar 22 19:01:56 2023 +0000
+++ b/sys/netinet6/raw_ip6.c    Thu Mar 23 12:03:04 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $    */
+/*     $NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $ */
 /*     $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $        */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -202,7 +202,16 @@ rip6_input(struct mbuf **mp, int *offp, 
                        continue;
                if (in6p_cksum(inp) != -1) {
                        RIP6_STATINC(RIP6_STAT_ISUM);
-                       if (in6_cksum(m, proto, *offp,
+                       /*
+                        * Although in6_cksum() does not need the position of
+                        * the checksum field for verification, enforce that it
+                        * is located within the packet.  Userland has given
+                        * a checksum offset, a packet too short for that is
+                        * invalid.  Avoid overflow with user supplied offset.
+                        */
+                       if (m->m_pkthdr.len < *offp + 2 ||
+                           m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) ||
+                           in6_cksum(m, proto, *offp,
                            m->m_pkthdr.len - *offp)) {
                                RIP6_STATINC(RIP6_STAT_BADSUM);
                                continue;
@@ -470,7 +479,7 @@ rip6_output(struct mbuf *m, struct socke
                        off = offsetof(struct icmp6_hdr, icmp6_cksum);
                else
                        off = in6p_cksum(inp);
-               if (plen < off + 1) {
+               if (plen < 2 || plen - 2 < off) {
                        error = EINVAL;
                        goto bad;
                }



Home | Main Index | Thread Index | Old Index