validate mbuf chain length on *_ctlinput. remote node may be able to

transmit a truncated icmp6 packet and panic the system. sync with kame.
2000-10-13 17:53:44 +00:00 · 2000-10-13 17:53:44 +00:00 · 6e3a9bc311
parent 65d3436a47
commit 6e3a9bc311
2 changed files with 11 additions and 3 deletions
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_subr.c,v 1.93 2000/09/19 18:21:41 itojun Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.94 2000/10/13 17:53:44 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1176,6 +1176,10 @@ tcp6_ctlinput(cmd, sa, d)
 		if (IN6_IS_ADDR_LINKLOCAL(&s))
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);

+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(th))
+			return;
+
 		if (m->m_len < off + sizeof(th)) {
 			/*
 			 * this should be rare case,
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@ -1,5 +1,5 @@
-/*	$NetBSD: udp6_usrreq.c,v 1.32 2000/07/07 15:54:19 itojun Exp $	*/
-/*	$KAME: udp6_usrreq.c,v 1.55 2000/06/13 11:40:15 itojun Exp $	*/
+/*	$NetBSD: udp6_usrreq.c,v 1.33 2000/10/13 17:53:45 itojun Exp $	*/
+/*	$KAME: udp6_usrreq.c,v 1.59 2000/10/13 17:46:20 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -516,6 +516,10 @@ udp6_ctlinput(cmd, sa, d)
 		if (IN6_IS_ADDR_LINKLOCAL(&s))
 			s.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index);

+		/* check if we can safely examine src and dst ports */
+		if (m->m_pkthdr.len < off + sizeof(uh))
+			return;
+
 		if (m->m_len < off + sizeof(uh)) {
 			/*
 			 * this should be rare case,