Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pull up following revision(s) (requested by maxv in ticket #432): 

sys/netinet6/ip6_input.c: revision 1.215

Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.

Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.
This commit is contained in:
martin 2019-11-16 17:01:45 +00:00
parent 9089a8fcb0
commit 5202abaaf1
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sys/netinet6/ip6_input.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $ */ /* $NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/* /*
@ -62,7 +62,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $");
#ifdef _KERNEL_OPT #ifdef _KERNEL_OPT
#include "opt_gateway.h" #include "opt_gateway.h"
@ -1056,6 +1056,8 @@ ip6_savecontrol(struct in6pcb *in6p, struct mbuf **mp,
#define IS2292(x, y) (y) #define IS2292(x, y) (y)
#endif #endif
KASSERT(m->m_flags & M_PKTHDR);
if (SOOPT_TIMESTAMP(so->so_options)) if (SOOPT_TIMESTAMP(so->so_options))
mp = sbsavetimestamp(so->so_options, mp); mp = sbsavetimestamp(so->so_options, mp);
@ -1297,12 +1299,18 @@ ip6_pullexthdr(struct mbuf *m, size_t off, int nxt)
size_t elen; size_t elen;
struct mbuf *n; struct mbuf *n;
if (off + sizeof(ip6e) > m->m_pkthdr.len)
return NULL;
m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
if (nxt == IPPROTO_AH) if (nxt == IPPROTO_AH)
elen = (ip6e.ip6e_len + 2) << 2; elen = (ip6e.ip6e_len + 2) << 2;
else else
elen = (ip6e.ip6e_len + 1) << 3; elen = (ip6e.ip6e_len + 1) << 3;
if (off + elen > m->m_pkthdr.len)
return NULL;
MGET(n, M_DONTWAIT, MT_DATA); MGET(n, M_DONTWAIT, MT_DATA);
if (n && elen >= MLEN) { if (n && elen >= MLEN) {
MCLGET(n, M_DONTWAIT); MCLGET(n, M_DONTWAIT);