summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-10-13 17:58:38 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2000-10-13 17:58:38 +0000
commit4b55b9f6971d49aed0f2eb3af6553a428fa15e5f (patch)
tree80f7e806e197ea97c4d29040bca603819d27a87c
parentb272da417dae46e5fd9ed0a269d8b395d6374340 (diff)
validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system. sync with kame.
-rw-r--r--sys/netinet/tcp_subr.c6
-rw-r--r--sys/netinet/udp_usrreq.c20
2 files changed, 16 insertions, 10 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 308e7f28a7a..39043f8e7cc 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_subr.c,v 1.34 2000/10/10 15:16:02 provos Exp $ */
+/* $OpenBSD: tcp_subr.c,v 1.35 2000/10/13 17:58:36 itojun Exp $ */
/* $NetBSD: tcp_subr.c,v 1.22 1996/02/13 23:44:00 christos Exp $ */
/*
@@ -772,6 +772,10 @@ tcp6_ctlinput(cmd, sa, d)
ip6_tmp.ip6_dst.s6_addr16[1] =
htons(m->m_pkthdr.rcvif->if_index);
+ /* check if we can safely examine src and dst ports */
+ if (m->m_pkthdr.len < off + sizeof(th))
+ return;
+
if (m->m_len < off + sizeof(th)) {
/*
* this should be rare case,
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index ceec64207ec..d3ecb7d686f 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp_usrreq.c,v 1.50 2000/10/11 09:14:13 itojun Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.51 2000/10/13 17:58:37 itojun Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
@@ -693,7 +693,7 @@ udp_ctlinput(cmd, sa, v)
void *v;
{
register struct ip *ip = v;
- register struct udphdr *uh;
+ register struct udphdr *uhp;
extern int inetctlerrmap[];
void (*notify) __P((struct inpcb *, int)) = udp_notify;
int errno;
@@ -712,12 +712,14 @@ udp_ctlinput(cmd, sa, v)
#ifdef INET6
if (sa->sa_family == AF_INET6) {
if (ip) {
- struct ip6_hdr *ipv6 = (struct ip6_hdr *)ip;
+ struct ip6_hdr *ip6 = (struct ip6_hdr *)ip;
- uh = (struct udphdr *)((caddr_t)ipv6 + sizeof(struct ip6_hdr));
+ /* XXX we assume that the mbuf is sane enough */
+
+ uhp = (struct udphdr *)((caddr_t)ip6 + sizeof(*ip6));
#if 0 /*XXX*/
- in6_pcbnotify(&udbtable, sa, uh->uh_dport,
- &(ipv6->ip6_src), uh->uh_sport, cmd, udp_notify);
+ in6_pcbnotify(&udbtable, sa, uhp->uh_dport,
+ &(ip6->ip6_src), uhp->uh_sport, cmd, udp_notify);
#endif
} else {
#if 0 /*XXX*/
@@ -728,9 +730,9 @@ udp_ctlinput(cmd, sa, v)
} else
#endif /* INET6 */
if (ip) {
- uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
- in_pcbnotify(&udbtable, sa, uh->uh_dport, ip->ip_src,
- uh->uh_sport, errno, notify);
+ uhp = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2));
+ in_pcbnotify(&udbtable, sa, uhp->uh_dport, ip->ip_src,
+ uhp->uh_sport, errno, notify);
} else
in_pcbnotifyall(&udbtable, sa, errno, notify);
return NULL;