Module Name: src
Committed By: maxv
Date: Sat Apr 14 17:55:47 UTC 2018
Modified Files:
src/sys/netinet6: icmp6.c
Log Message:
Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the
beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By
luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer
overflows in non-jumbogram packets.
For jumbograms we will probably be in trouble here; but it doesn't seem
possible to craft reliably a jumbogram for a non-jumbogram-enabled device.
So I don't think it's a huge problem.
To generate a diff of this commit:
cvs rdiff -u -r1.229 -r1.230 src/sys/netinet6/icmp6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.229 src/sys/netinet6/icmp6.c:1.230
--- src/sys/netinet6/icmp6.c:1.229 Sat Apr 14 14:59:58 2018
+++ src/sys/netinet6/icmp6.c Sat Apr 14 17:55:47 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2224,7 +2224,7 @@ icmp6_redirect_input(struct mbuf *m, int
struct ifnet *ifp;
struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
struct nd_redirect *nd_rd;
- int icmp6len = ntohs(ip6->ip6_plen);
+ int icmp6len = m->m_pkthdr.len - off;
char *lladdr = NULL;
int lladdrlen = 0;
struct rtentry *rt = NULL;
