Module Name:    src
Committed By:   maxv
Date:           Sat Apr 14 17:55:47 UTC 2018

Modified Files:
        src/sys/netinet6: icmp6.c

Log Message:
Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the
beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By
luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer
overflows in non-jumbogram packets.

For jumbograms we will probably be in trouble here; but it doesn't seem
possible to craft reliably a jumbogram for a non-jumbogram-enabled device.

So I don't think it's a huge problem.


To generate a diff of this commit:
cvs rdiff -u -r1.229 -r1.230 src/sys/netinet6/icmp6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.229 src/sys/netinet6/icmp6.c:1.230
--- src/sys/netinet6/icmp6.c:1.229	Sat Apr 14 14:59:58 2018
+++ src/sys/netinet6/icmp6.c	Sat Apr 14 17:55:47 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2224,7 +2224,7 @@ icmp6_redirect_input(struct mbuf *m, int
 	struct ifnet *ifp;
 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 	struct nd_redirect *nd_rd;
-	int icmp6len = ntohs(ip6->ip6_plen);
+	int icmp6len = m->m_pkthdr.len - off;
 	char *lladdr = NULL;
 	int lladdrlen = 0;
 	struct rtentry *rt = NULL;

Reply via email to