CVS commit: [netbsd-8] src/sys/netinet6

Thu, 23 Mar 2023 05:08:45 -0700 

Module Name:    src
Committed By:   martin
Date:           Thu Mar 23 12:08:39 UTC 2023

Modified Files:
        src/sys/netinet6 [netbsd-8]: ip6_output.c raw_ip6.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1808):

        sys/netinet6/raw_ip6.c: revision 1.183 (via patch)
        sys/netinet6/ip6_output.c: revision 1.233

in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.

in6: make sure a user-specified checksum field is within a packet
>From OpenBSD


To generate a diff of this commit:
cvs rdiff -u -r1.191.6.4 -r1.191.6.5 src/sys/netinet6/ip6_output.c
cvs rdiff -u -r1.157.2.5 -r1.157.2.6 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/ip6_output.c
diff -u src/sys/netinet6/ip6_output.c:1.191.6.4 src/sys/netinet6/ip6_output.c:1.191.6.5
--- src/sys/netinet6/ip6_output.c:1.191.6.4	Tue Jan  2 10:20:34 2018
+++ src/sys/netinet6/ip6_output.c	Thu Mar 23 12:08:39 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2028,8 +2028,12 @@ ip6_raw_ctloutput(int op, struct socket 
 			error = sockopt_getint(sopt, &optval);
 			if (error)
 				break;
-			if ((optval % 2) != 0) {
-				/* the API assumes even offset values */
+			if (optval < -1 ||
+			    (optval > 0 && (optval % 2) != 0)) {
+				/*
+				 * The API assumes non-negative even offset
+				 * values or -1 as a special value.
+				 */
 				error = EINVAL;
 			} else if (so->so_proto->pr_protocol ==
 			    IPPROTO_ICMPV6) {

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.157.2.5 src/sys/netinet6/raw_ip6.c:1.157.2.6
--- src/sys/netinet6/raw_ip6.c:1.157.2.5	Tue Jan 29 07:04:09 2019
+++ src/sys/netinet6/raw_ip6.c	Thu Mar 23 12:08:39 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -192,7 +192,16 @@ rip6_input(struct mbuf **mp, int *offp, 
 			continue;
 		if (in6p->in6p_cksum != -1) {
 			RIP6_STATINC(RIP6_STAT_ISUM);
-			if (in6_cksum(m, proto, *offp,
+			/*
+			 * Although in6_cksum() does not need the position of
+			 * the checksum field for verification, enforce that it
+			 * is located within the packet.  Userland has given
+			 * a checksum offset, a packet too short for that is
+			 * invalid.  Avoid overflow with user supplied offset.
+			 */
+			if (m->m_pkthdr.len < *offp + 2 ||
+			    m->m_pkthdr.len - *offp - 2 < in6p->in6p_cksum ||
+			    in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				RIP6_STATINC(RIP6_STAT_BADSUM);
 				continue;
@@ -491,7 +500,7 @@ rip6_output(struct mbuf *m, struct socke
 			off = offsetof(struct icmp6_hdr, icmp6_cksum);
 		else
 			off = in6p->in6p_cksum;
-		if (plen < off + 1) {
+		if (plen < 2 || plen - 2 < off) {
 			error = EINVAL;
 			goto bad;
 		}

Reply via email to