diff options
author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-10-13 17:58:38 +0000 |
---|---|---|
committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2000-10-13 17:58:38 +0000 |
commit | 4b55b9f6971d49aed0f2eb3af6553a428fa15e5f (patch) | |
tree | 80f7e806e197ea97c4d29040bca603819d27a87c | |
parent | b272da417dae46e5fd9ed0a269d8b395d6374340 (diff) |
validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system. sync with kame.
-rw-r--r-- | sys/netinet/tcp_subr.c | 6 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 20 |
2 files changed, 16 insertions, 10 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 308e7f28a7a..39043f8e7cc 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_subr.c,v 1.34 2000/10/10 15:16:02 provos Exp $ */ +/* $OpenBSD: tcp_subr.c,v 1.35 2000/10/13 17:58:36 itojun Exp $ */ /* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */ /* @@ -772,6 +772,10 @@ tcp6_ctlinput(cmd, sa, d) ip6_tmp.ip6_dst.s6_addr16[1] = htons(m->m_pkthdr.rcvif->if_index); + /* check if we can safely examine src and dst ports */ + if (m->m_pkthdr.len < off + sizeof(th)) + return; + if (m->m_len < off + sizeof(th)) { /* * this should be rare case, diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index ceec64207ec..d3ecb7d686f 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.50 2000/10/11 09:14:13 itojun Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.51 2000/10/13 17:58:37 itojun Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -693,7 +693,7 @@ udp_ctlinput(cmd, sa, v) void *v; { register struct ip *ip = v; - register struct udphdr *uh; + register struct udphdr *uhp; extern int inetctlerrmap[]; void (*notify) __P((struct inpcb *, int)) = udp_notify; int errno; @@ -712,12 +712,14 @@ udp_ctlinput(cmd, sa, v) #ifdef INET6 if (sa->sa_family == AF_INET6) { if (ip) { - struct ip6_hdr *ipv6 = (struct ip6_hdr *)ip; + struct ip6_hdr *ip6 = (struct ip6_hdr *)ip; - uh = (struct udphdr *)((caddr_t)ipv6 + sizeof(struct ip6_hdr)); + /* XXX we assume that the mbuf is sane enough */ + + uhp = (struct udphdr *)((caddr_t)ip6 + sizeof(*ip6)); #if 0 /*XXX*/ - in6_pcbnotify(&udbtable, sa, uh->uh_dport, - &(ipv6->ip6_src), uh->uh_sport, cmd, udp_notify); + in6_pcbnotify(&udbtable, sa, uhp->uh_dport, + &(ip6->ip6_src), uhp->uh_sport, cmd, udp_notify); #endif } else { #if 0 /*XXX*/ @@ -728,9 +730,9 @@ udp_ctlinput(cmd, sa, v) } else #endif /* INET6 */ if (ip) { - uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); - in_pcbnotify(&udbtable, sa, uh->uh_dport, ip->ip_src, - uh->uh_sport, errno, notify); + uhp = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); + in_pcbnotify(&udbtable, sa, uhp->uh_dport, ip->ip_src, + uhp->uh_sport, errno, notify); } else in_pcbnotifyall(&udbtable, sa, errno, notify); return NULL; |