Pull up following revision(s) (requested by maxv in ticket #432):
sys/netinet6/ip6_input.c: revision 1.215 Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The Rip6 entry point could see a garbage Hop6 option. Not a big issue, since it's a clean panic only triggerable if the socket has the IN6P_DSTOPTS/IN6P_RTHDR option.
This commit is contained in:
parent
9089a8fcb0
commit
5202abaaf1
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $ */
|
/* $NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $ */
|
||||||
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
|
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -62,7 +62,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $");
|
||||||
|
|
||||||
#ifdef _KERNEL_OPT
|
#ifdef _KERNEL_OPT
|
||||||
#include "opt_gateway.h"
|
#include "opt_gateway.h"
|
||||||
|
@ -1056,6 +1056,8 @@ ip6_savecontrol(struct in6pcb *in6p, struct mbuf **mp,
|
||||||
#define IS2292(x, y) (y)
|
#define IS2292(x, y) (y)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
KASSERT(m->m_flags & M_PKTHDR);
|
||||||
|
|
||||||
if (SOOPT_TIMESTAMP(so->so_options))
|
if (SOOPT_TIMESTAMP(so->so_options))
|
||||||
mp = sbsavetimestamp(so->so_options, mp);
|
mp = sbsavetimestamp(so->so_options, mp);
|
||||||
|
|
||||||
|
@ -1297,12 +1299,18 @@ ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
|
||||||
size_t elen;
|
size_t elen;
|
||||||
struct mbuf *n;
|
struct mbuf *n;
|
||||||
|
|
||||||
|
if (off + sizeof(ip6e) > m->m_pkthdr.len)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
|
m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
|
||||||
if (nxt == IPPROTO_AH)
|
if (nxt == IPPROTO_AH)
|
||||||
elen = (ip6e.ip6e_len + 2) << 2;
|
elen = (ip6e.ip6e_len + 2) << 2;
|
||||||
else
|
else
|
||||||
elen = (ip6e.ip6e_len + 1) << 3;
|
elen = (ip6e.ip6e_len + 1) << 3;
|
||||||
|
|
||||||
|
if (off + elen > m->m_pkthdr.len)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
MGET(n, M_DONTWAIT, MT_DATA);
|
MGET(n, M_DONTWAIT, MT_DATA);
|
||||||
if (n && elen >= MLEN) {
|
if (n && elen >= MLEN) {
|
||||||
MCLGET(n, M_DONTWAIT);
|
MCLGET(n, M_DONTWAIT);
|
||||||
|
|
Loading…
Reference in New Issue