Module Name: src Committed By: maxv Date: Thu Feb 8 09:32:02 UTC 2018
Modified Files: src/sys/netinet: ip_icmp.c Log Message: Fix a possible buffer overflow in the IPv4 _ctlinput functions. In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area starting from 'icp' is contiguous. ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36 But the _ctlinput functions (eg udp_ctlinput) expect the area to be larger. These functions read at: (uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2) which can be crafted to be: (uint8_t *)icp + 68 So we end up reading 'icp+68' while the valid area ended at 'icp+36'. Having said that, it seems pretty complicated to trigger this bug; it would have to be a fragmented packet with half of the ICMP header in the first fragment, and we would need to have a driver that did not allocate a cluster for the first mbuf of the chain. The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it did guarantee that the ICMP header fit the chain, it did not guarantee that it fit 'm'. Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an error. Rebase the pointers afterwards. To generate a diff of this commit: cvs rdiff -u -r1.167 -r1.168 src/sys/netinet/ip_icmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/ip_icmp.c diff -u src/sys/netinet/ip_icmp.c:1.167 src/sys/netinet/ip_icmp.c:1.168 --- src/sys/netinet/ip_icmp.c:1.167 Mon Feb 5 08:38:06 2018 +++ src/sys/netinet/ip_icmp.c Thu Feb 8 09:32:02 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_icmp.c,v 1.167 2018/02/05 08:38:06 maxv Exp $ */ +/* $NetBSD: ip_icmp.c,v 1.168 2018/02/08 09:32:02 maxv Exp $ */ /* * Copyright (c) 1998, 2000 The NetBSD Foundation, Inc. @@ -94,7 +94,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.167 2018/02/05 08:38:06 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.168 2018/02/08 09:32:02 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -546,6 +546,14 @@ _icmp_input(struct mbuf *m, int hlen, in ICMP_STATINC(ICMP_STAT_BADLEN); goto freeit; } + if (m->m_len < hlen + ICMP_ADVLEN(icp)) { + m = m_pullup(m, hlen + ICMP_ADVLEN(icp)); + if (m == NULL) + goto freeit; + } + ip = mtod(m, struct ip *); + icp = (struct icmp *)(mtod(m, uint8_t *) + hlen); + if (IN_MULTICAST(icp->icmp_ip.ip_dst.s_addr)) goto badcode; #ifdef ICMPPRINTFS