Author: tuexen Date: Fri Apr 19 17:28:28 2019 New Revision: 346402 URL: https://svnweb.freebsd.org/changeset/base/346402
Log: When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset. Reported by: syzbot+6295fcc5a8aced81d...@syzkaller.appspotmail.com Reviewed by: bz@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19968 Modified: head/sys/netinet6/raw_ip6.c Modified: head/sys/netinet6/raw_ip6.c ============================================================================== --- head/sys/netinet6/raw_ip6.c Fri Apr 19 17:21:35 2019 (r346401) +++ head/sys/netinet6/raw_ip6.c Fri Apr 19 17:28:28 2019 (r346402) @@ -239,7 +239,8 @@ rip6_input(struct mbuf **mp, int *offp, int proto) } if (in6p->in6p_cksum != -1) { RIP6STAT_INC(rip6s_isum); - if (in6_cksum(m, proto, *offp, + if (m->m_pkthdr.len - (*offp + in6p->in6p_cksum) < 2 || + in6_cksum(m, proto, *offp, m->m_pkthdr.len - *offp)) { RIP6STAT_INC(rip6s_badsum); goto skip_2; _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
