Module Name: src Committed By: maxv Date: Mon May 7 19:34:04 UTC 2018
Modified Files: src/sys/netinet: ip_mroute.c Log Message: Fix possible buffer overflow. We need to make sure the inner IPv4 packet doesn't have options, because we validate only an option-less header. To generate a diff of this commit: cvs rdiff -u -r1.157 -r1.158 src/sys/netinet/ip_mroute.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/ip_mroute.c diff -u src/sys/netinet/ip_mroute.c:1.157 src/sys/netinet/ip_mroute.c:1.158 --- src/sys/netinet/ip_mroute.c:1.157 Wed Apr 11 06:26:00 2018 +++ src/sys/netinet/ip_mroute.c Mon May 7 19:34:03 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $ */ +/* $NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $ */ /* * Copyright (c) 1992, 1993 @@ -93,7 +93,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -3070,6 +3070,13 @@ pim_input(struct mbuf *m, ...) return; } + /* verify the inner packet doesn't have options */ + if (encap_ip->ip_hl != (sizeof(struct ip) >> 2)) { + pimstat.pims_rcv_badregisters++; + m_freem(m); + return; + } + /* verify the inner packet is destined to a mcast group */ if (!IN_MULTICAST(encap_ip->ip_dst.s_addr)) { pimstat.pims_rcv_badregisters++;