Module Name: src
Committed By: maxv
Date: Thu Feb 8 09:32:02 UTC 2018
Fix a possible buffer overflow in the IPv4 _ctlinput functions.
In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.
ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36
But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:
(uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)
which can be crafted to be:
(uint8_t *)icp + 68
So we end up reading 'icp+68' while the valid area ended at 'icp+36'.
Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.
The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.
Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.
To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.168 src/sys/netinet/ip_icmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.