Module Name: src
Committed By: maxv
Date: Tue Feb 6 15:48:02 UTC 2018
Modified Files:
src/sys/netinet: ip_reass.c
Log Message:
Add one more check in ip_reass_packet(): make sure that the end of each
fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.
But there is an integer overflow that can happen a little earlier. We
are doing:
i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
ntohs(ip->ip_off);
[...]
ip->ip_off = htons(ntohs(ip->ip_off) + i);
It is possible that
ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535
so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.
With the new check, it is guaranteed that ip_off+ip_len<=65535.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/sys/netinet/ip_reass.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
