Module Name: src
Committed By: maxv
Date: Mon May 7 19:34:04 UTC 2018
Modified Files:
src/sys/netinet: ip_mroute.c
Log Message:
Fix possible buffer overflow. We need to make sure the inner IPv4 packet
doesn't have options, because we validate only an option-less header.
To generate a diff of this commit:
cvs rdiff -u -r1.157 -r1.158 src/sys/netinet/ip_mroute.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/ip_mroute.c
diff -u src/sys/netinet/ip_mroute.c:1.157 src/sys/netinet/ip_mroute.c:1.158
--- src/sys/netinet/ip_mroute.c:1.157 Wed Apr 11 06:26:00 2018
+++ src/sys/netinet/ip_mroute.c Mon May 7 19:34:03 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $ */
+/* $NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $ */
/*
* Copyright (c) 1992, 1993
@@ -93,7 +93,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -3070,6 +3070,13 @@ pim_input(struct mbuf *m, ...)
return;
}
+ /* verify the inner packet doesn't have options */
+ if (encap_ip->ip_hl != (sizeof(struct ip) >> 2)) {
+ pimstat.pims_rcv_badregisters++;
+ m_freem(m);
+ return;
+ }
+
/* verify the inner packet is destined to a mcast group */
if (!IN_MULTICAST(encap_ip->ip_dst.s_addr)) {
pimstat.pims_rcv_badregisters++;
