CVS commit: [netbsd-9] src/sys/netinet6

Sat, 16 Nov 2019 09:02:06 -0800 

Module Name:    src
Committed By:   martin
Date:           Sat Nov 16 17:01:45 UTC 2019

Modified Files:
        src/sys/netinet6 [netbsd-9]: ip6_input.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #432):

        sys/netinet6/ip6_input.c: revision 1.215

Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.

Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.


To generate a diff of this commit:
cvs rdiff -u -r1.208.2.3 -r1.208.2.4 src/sys/netinet6/ip6_input.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.208.2.3 src/sys/netinet6/ip6_input.c:1.208.2.4
--- src/sys/netinet6/ip6_input.c:1.208.2.3	Wed Oct 23 19:33:07 2019
+++ src/sys/netinet6/ip6_input.c	Sat Nov 16 17:01:45 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.3 2019/10/23 19:33:07 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.208.2.4 2019/11/16 17:01:45 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -1056,6 +1056,8 @@ ip6_savecontrol(struct in6pcb *in6p, str
 #define IS2292(x, y)	(y)
 #endif
 
+	KASSERT(m->m_flags & M_PKTHDR);
+
 	if (SOOPT_TIMESTAMP(so->so_options))
 		mp = sbsavetimestamp(so->so_options, mp);
 
@@ -1297,12 +1299,18 @@ ip6_pullexthdr(struct mbuf *m, size_t of
 	size_t elen;
 	struct mbuf *n;
 
+	if (off + sizeof(ip6e) > m->m_pkthdr.len)
+		return NULL;
+
 	m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
 	if (nxt == IPPROTO_AH)
 		elen = (ip6e.ip6e_len + 2) << 2;
 	else
 		elen = (ip6e.ip6e_len + 1) << 3;
 
+	if (off + elen > m->m_pkthdr.len)
+		return NULL;
+
 	MGET(n, M_DONTWAIT, MT_DATA);
 	if (n && elen >= MLEN) {
 		MCLGET(n, M_DONTWAIT);

Reply via email to