Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-10]: src/sys/netinet6 Pull up following revision(s) (requested by...
details: https://anonhg.NetBSD.org/src/rev/e0d74d7979b0
branches: netbsd-10
changeset: 373982:e0d74d7979b0
user: martin <martin%NetBSD.org@localhost>
date: Thu Mar 23 12:03:04 2023 +0000
description:
Pull up following revision(s) (requested by ozaki-r in ticket #125):
sys/netinet6/raw_ip6.c: revision 1.183
sys/netinet6/ip6_output.c: revision 1.233
in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.
in6: make sure a user-specified checksum field is within a packet
>From OpenBSD
diffstat:
sys/netinet6/ip6_output.c | 12 ++++++++----
sys/netinet6/raw_ip6.c | 17 +++++++++++++----
2 files changed, 21 insertions(+), 8 deletions(-)
diffs (78 lines):
diff -r b4726bf124d5 -r e0d74d7979b0 sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Wed Mar 22 19:01:56 2023 +0000
+++ b/sys/netinet6/ip6_output.c Thu Mar 23 12:03:04 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $ */
+/* $NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1986,8 +1986,12 @@ ip6_raw_ctloutput(int op, struct socket
error = sockopt_getint(sopt, &optval);
if (error)
break;
- if ((optval % 2) != 0) {
- /* the API assumes even offset values */
+ if (optval < -1 ||
+ (optval > 0 && (optval % 2) != 0)) {
+ /*
+ * The API assumes non-negative even offset
+ * values or -1 as a special value.
+ */
error = EINVAL;
} else if (so->so_proto->pr_protocol ==
IPPROTO_ICMPV6) {
diff -r b4726bf124d5 -r e0d74d7979b0 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c Wed Mar 22 19:01:56 2023 +0000
+++ b/sys/netinet6/raw_ip6.c Thu Mar 23 12:03:04 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $ */
+/* $NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -202,7 +202,16 @@ rip6_input(struct mbuf **mp, int *offp,
continue;
if (in6p_cksum(inp) != -1) {
RIP6_STATINC(RIP6_STAT_ISUM);
- if (in6_cksum(m, proto, *offp,
+ /*
+ * Although in6_cksum() does not need the position of
+ * the checksum field for verification, enforce that it
+ * is located within the packet. Userland has given
+ * a checksum offset, a packet too short for that is
+ * invalid. Avoid overflow with user supplied offset.
+ */
+ if (m->m_pkthdr.len < *offp + 2 ||
+ m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) ||
+ in6_cksum(m, proto, *offp,
m->m_pkthdr.len - *offp)) {
RIP6_STATINC(RIP6_STAT_BADSUM);
continue;
@@ -470,7 +479,7 @@ rip6_output(struct mbuf *m, struct socke
off = offsetof(struct icmp6_hdr, icmp6_cksum);
else
off = in6p_cksum(inp);
- if (plen < off + 1) {
+ if (plen < 2 || plen - 2 < off) {
error = EINVAL;
goto bad;
}
Home |
Main Index |
Thread Index |
Old Index