CVS commit: src/sys/netinet

Thu, 08 Feb 2018 01:32:34 -0800 

Module Name:    src
Committed By:   maxv
Date:           Thu Feb  8 09:32:02 UTC 2018

Modified Files:
        src/sys/netinet: ip_icmp.c

Log Message:
Fix a possible buffer overflow in the IPv4 _ctlinput functions.

In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.

        ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36

But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:

        (uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)

which can be crafted to be:

        (uint8_t *)icp + 68

So we end up reading 'icp+68' while the valid area ended at 'icp+36'.

Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.

The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.

Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.


To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.168 src/sys/netinet/ip_icmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet/ip_icmp.c
diff -u src/sys/netinet/ip_icmp.c:1.167 src/sys/netinet/ip_icmp.c:1.168
--- src/sys/netinet/ip_icmp.c:1.167	Mon Feb  5 08:38:06 2018
+++ src/sys/netinet/ip_icmp.c	Thu Feb  8 09:32:02 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_icmp.c,v 1.167 2018/02/05 08:38:06 maxv Exp $	*/
+/*	$NetBSD: ip_icmp.c,v 1.168 2018/02/08 09:32:02 maxv Exp $	*/
 
 /*
  * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc.
@@ -94,7 +94,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.167 2018/02/05 08:38:06 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.168 2018/02/08 09:32:02 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -546,6 +546,14 @@ _icmp_input(struct mbuf *m, int hlen, in
 			ICMP_STATINC(ICMP_STAT_BADLEN);
 			goto freeit;
 		}
+		if (m->m_len < hlen + ICMP_ADVLEN(icp)) {
+			m = m_pullup(m, hlen + ICMP_ADVLEN(icp));
+			if (m == NULL)
+				goto freeit;
+		}
+		ip = mtod(m, struct ip *);
+		icp = (struct icmp *)(mtod(m, uint8_t *) + hlen);
+
 		if (IN_MULTICAST(icp->icmp_ip.ip_dst.s_addr))
 			goto badcode;
 #ifdef ICMPPRINTFS

Reply via email to