summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Pieuchot <mpi@cvs.openbsd.org>2015-03-14 17:13:45 +0000
committerMartin Pieuchot <mpi@cvs.openbsd.org>2015-03-14 17:13:45 +0000
commit96f18009292add7b1fc3dc11a6defa138f869e93 (patch)
tree29f283adba542477e1900808bb58b608fda5cc03
parentbd1f94bd2fe0ba57976886024d2944d33976a9f4 (diff)
Check for the size of the supposed destination address when constructing
the Ethernet frame. Prevent an overflow reported by Henk Jan Agteresch on bugs@.
-rw-r--r--sys/netinet/if_ether.c9
-rw-r--r--sys/netinet6/nd6.c10
2 files changed, 12 insertions, 7 deletions
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index 68ddf9f981b..3fa68753f74 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_ether.c,v 1.147 2015/03/14 03:38:51 jsg Exp $ */
+/* $OpenBSD: if_ether.c,v 1.148 2015/03/14 17:13:44 mpi Exp $ */
/* $NetBSD: if_ether.c,v 1.31 1996/05/11 12:59:58 mycroft Exp $ */
/*
@@ -399,6 +399,13 @@ arpresolve(struct arpcom *ac, struct rtentry *rt0, struct mbuf *m,
return (EINVAL);
}
sdl = SDL(rt->rt_gateway);
+ if (sdl->sdl_alen > 0 && sdl->sdl_alen != ETHER_ADDR_LEN) {
+ log(LOG_DEBUG, "%s: %s: incorrect arp information\n", __func__,
+ inet_ntop(AF_INET, &satosin(dst)->sin_addr,
+ addr, sizeof(addr)));
+ m_freem(m);
+ return (EINVAL);
+ }
/*
* Check the address family and length is valid, the address
* is resolved; otherwise, try to resolve.
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 2fc681075b7..7ffed43dc21 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nd6.c,v 1.131 2015/02/11 23:34:43 mpi Exp $ */
+/* $OpenBSD: nd6.c,v 1.132 2015/03/14 17:13:44 mpi Exp $ */
/* $KAME: nd6.c,v 1.280 2002/06/08 19:52:07 itojun Exp $ */
/*
@@ -1868,13 +1868,11 @@ nd6_storelladdr(struct ifnet *ifp, struct rtentry *rt0, struct mbuf *m,
return (EINVAL);
}
sdl = SDL(rt->rt_gateway);
- if (sdl->sdl_alen == 0) {
+ if (sdl->sdl_alen != ETHER_ADDR_LEN) {
char addr[INET6_ADDRSTRLEN];
- /* this should be impossible, but we bark here for debugging */
- printf("nd6_storelladdr: sdl_alen == 0, dst=%s, if=%s\n",
+ log(LOG_DEBUG, "%s: %s: incorrect nd6 information\n", __func__,
inet_ntop(AF_INET6, &satosin6(dst)->sin6_addr,
- addr, sizeof(addr)),
- ifp->if_xname);
+ addr, sizeof(addr)));
m_freem(m);
return (EINVAL);
}