Module Name: src
Committed By: maxv
Date: Tue Nov 12 08:11:55 UTC 2019
Modified Files:
src/sys/netinet6: ip6_input.c
Log Message:
Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The
Rip6 entry point could see a garbage Hop6 option.
Not a big issue, since it's a clean panic only triggerable if the socket
has the IN6P_DSTOPTS/IN6P_RTHDR option.
Reported-by: syzbot+3b07b3511b4ceb8bf...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.214 -r1.215 src/sys/netinet6/ip6_input.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.214 src/sys/netinet6/ip6_input.c:1.215
--- src/sys/netinet6/ip6_input.c:1.214 Fri Oct 18 04:33:53 2019
+++ src/sys/netinet6/ip6_input.c Tue Nov 12 08:11:55 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $ */
+/* $NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -1056,6 +1056,8 @@ ip6_savecontrol(struct in6pcb *in6p, str
#define IS2292(x, y) (y)
#endif
+ KASSERT(m->m_flags & M_PKTHDR);
+
if (SOOPT_TIMESTAMP(so->so_options))
mp = sbsavetimestamp(so->so_options, mp);
@@ -1297,12 +1299,18 @@ ip6_pullexthdr(struct mbuf *m, size_t of
size_t elen;
struct mbuf *n;
+ if (off + sizeof(ip6e) > m->m_pkthdr.len)
+ return NULL;
+
m_copydata(m, off, sizeof(ip6e), (void *)&ip6e);
if (nxt == IPPROTO_AH)
elen = (ip6e.ip6e_len + 2) << 2;
else
elen = (ip6e.ip6e_len + 1) << 3;
+ if (off + elen > m->m_pkthdr.len)
+ return NULL;
+
MGET(n, M_DONTWAIT, MT_DATA);
if (n && elen >= MLEN) {
MCLGET(n, M_DONTWAIT);
