Module Name: src Committed By: martin Date: Thu Mar 23 12:08:39 UTC 2023
Modified Files: src/sys/netinet6 [netbsd-8]: ip6_output.c raw_ip6.c Log Message: Pull up following revision(s) (requested by ozaki-r in ticket #1808): sys/netinet6/raw_ip6.c: revision 1.183 (via patch) sys/netinet6/ip6_output.c: revision 1.233 in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM) Same as OpenBSD. in6: make sure a user-specified checksum field is within a packet >From OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.191.6.4 -r1.191.6.5 src/sys/netinet6/ip6_output.c cvs rdiff -u -r1.157.2.5 -r1.157.2.6 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/ip6_output.c diff -u src/sys/netinet6/ip6_output.c:1.191.6.4 src/sys/netinet6/ip6_output.c:1.191.6.5 --- src/sys/netinet6/ip6_output.c:1.191.6.4 Tue Jan 2 10:20:34 2018 +++ src/sys/netinet6/ip6_output.c Thu Mar 23 12:08:39 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $ */ +/* $NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2028,8 +2028,12 @@ ip6_raw_ctloutput(int op, struct socket error = sockopt_getint(sopt, &optval); if (error) break; - if ((optval % 2) != 0) { - /* the API assumes even offset values */ + if (optval < -1 || + (optval > 0 && (optval % 2) != 0)) { + /* + * The API assumes non-negative even offset + * values or -1 as a special value. + */ error = EINVAL; } else if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.157.2.5 src/sys/netinet6/raw_ip6.c:1.157.2.6 --- src/sys/netinet6/raw_ip6.c:1.157.2.5 Tue Jan 29 07:04:09 2019 +++ src/sys/netinet6/raw_ip6.c Thu Mar 23 12:08:39 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -192,7 +192,16 @@ rip6_input(struct mbuf **mp, int *offp, continue; if (in6p->in6p_cksum != -1) { RIP6_STATINC(RIP6_STAT_ISUM); - if (in6_cksum(m, proto, *offp, + /* + * Although in6_cksum() does not need the position of + * the checksum field for verification, enforce that it + * is located within the packet. Userland has given + * a checksum offset, a packet too short for that is + * invalid. Avoid overflow with user supplied offset. + */ + if (m->m_pkthdr.len < *offp + 2 || + m->m_pkthdr.len - *offp - 2 < in6p->in6p_cksum || + in6_cksum(m, proto, *offp, m->m_pkthdr.len - *offp)) { RIP6_STATINC(RIP6_STAT_BADSUM); continue; @@ -491,7 +500,7 @@ rip6_output(struct mbuf *m, struct socke off = offsetof(struct icmp6_hdr, icmp6_cksum); else off = in6p->in6p_cksum; - if (plen < off + 1) { + if (plen < 2 || plen - 2 < off) { error = EINVAL; goto bad; }