Module Name: src Committed By: maxv Date: Tue Nov 12 08:11:55 UTC 2019
Modified Files: src/sys/netinet6: ip6_input.c Log Message: Add more checks in ip6_pullexthdr, to prevent a panic in m_copydata. The Rip6 entry point could see a garbage Hop6 option. Not a big issue, since it's a clean panic only triggerable if the socket has the IN6P_DSTOPTS/IN6P_RTHDR option. Reported-by: syzbot+3b07b3511b4ceb8bf...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.214 -r1.215 src/sys/netinet6/ip6_input.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.214 src/sys/netinet6/ip6_input.c:1.215 --- src/sys/netinet6/ip6_input.c:1.214 Fri Oct 18 04:33:53 2019 +++ src/sys/netinet6/ip6_input.c Tue Nov 12 08:11:55 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $ */ +/* $NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.214 2019/10/18 04:33:53 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.215 2019/11/12 08:11:55 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -1056,6 +1056,8 @@ ip6_savecontrol(struct in6pcb *in6p, str #define IS2292(x, y) (y) #endif + KASSERT(m->m_flags & M_PKTHDR); + if (SOOPT_TIMESTAMP(so->so_options)) mp = sbsavetimestamp(so->so_options, mp); @@ -1297,12 +1299,18 @@ ip6_pullexthdr(struct mbuf *m, size_t of size_t elen; struct mbuf *n; + if (off + sizeof(ip6e) > m->m_pkthdr.len) + return NULL; + m_copydata(m, off, sizeof(ip6e), (void *)&ip6e); if (nxt == IPPROTO_AH) elen = (ip6e.ip6e_len + 2) << 2; else elen = (ip6e.ip6e_len + 1) << 3; + if (off + elen > m->m_pkthdr.len) + return NULL; + MGET(n, M_DONTWAIT, MT_DATA); if (n && elen >= MLEN) { MCLGET(n, M_DONTWAIT);