Module Name:    src
Committed By:   maxv
Date:           Thu Feb  8 09:32:02 UTC 2018

Modified Files:
        src/sys/netinet: ip_icmp.c

Log Message:
Fix a possible buffer overflow in the IPv4 _ctlinput functions.

In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.

        ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36

But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:

        (uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)

which can be crafted to be:

        (uint8_t *)icp + 68

So we end up reading 'icp+68' while the valid area ended at 'icp+36'.

Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.

The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.

Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.

To generate a diff of this commit:
cvs rdiff -u -r1.167 -r1.168 src/sys/netinet/ip_icmp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Reply via email to