NULL dereference in IPV6_PORTRANGE and IP_IPSEC_*, found by Clement LECIGNE,

localhost DoS everywhere.  To help minimize further issues, make the
mbuf != NULL test explicit instead of implicit in a length test.
Suggestions and initial work by mpf@ and miod@
ok henning@, mpf@, claudio@,

2 files changed, 12 insertions, 15 deletions

diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index 164b202af74..2904261c302 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: icmp6.c,v 1.107 2009/09/13 14:42:52 krw Exp $	*/
+/*	$OpenBSD: icmp6.c,v 1.108 2009/11/20 09:02:21 guenther Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -2647,12 +2647,9 @@ icmp6_ctloutput(int op, struct socket *so, int level, int optname,
 	struct mbuf **mp)
 {
 	int error = 0;
-	int optlen;
 	struct in6pcb *in6p = sotoin6pcb(so);
 	struct mbuf *m = *mp;
 
-	optlen = m ? m->m_len : 0;
-
 	if (level != IPPROTO_ICMPV6) {
 		if (op == PRCO_SETOPT && m)
 			(void)m_free(m);
@@ -2666,7 +2663,7 @@ icmp6_ctloutput(int op, struct socket *so, int level, int optname,
 		    {
 			struct icmp6_filter *p;
 
-			if (optlen != sizeof(*p)) {
+			if (m == NULL || m->m_len != sizeof(*p)) {
 				error = EMSGSIZE;
 				break;
 			}
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 565ca1b88b3..cceb8906596 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.108 2009/10/28 21:03:17 deraadt Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.109 2009/11/20 09:02:21 guenther Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -1283,7 +1283,6 @@ ip6_ctloutput(int op, struct socket *so, int level, int optname,
 	struct inpcb *inp = sotoinpcb(so);
 	struct mbuf *m = *mp;
 	int error, optval;
-	int optlen;
 #ifdef IPSEC
 	struct proc *p = curproc; /* XXX */
 	struct tdb *tdb;
@@ -1291,7 +1290,6 @@ ip6_ctloutput(int op, struct socket *so, int level, int optname,
 	int s;
 #endif
 
-	optlen = m ? m->m_len : 0;
 	error = optval = 0;
 
 	privileged = (inp->inp_socket->so_state & SS_PRIV);
@@ -1340,7 +1338,7 @@ ip6_ctloutput(int op, struct socket *so, int level, int optname,
 			case IPV6_RECVTCLASS:
 			case IPV6_V6ONLY:
 			case IPV6_AUTOFLOWLABEL:
-				if (optlen != sizeof(int)) {
+				if (m == NULL || m->m_len != sizeof(int)) {
 					error = EINVAL;
 					break;
 				}
@@ -1494,7 +1492,7 @@ do { \
 			case IPV6_TCLASS:
 			case IPV6_DONTFRAG:
 			case IPV6_USE_MIN_MTU:
-				if (optlen != sizeof(optval)) {
+				if (m == NULL || m->m_len != sizeof(optval)) {
 					error = EINVAL;
 					break;
 				}
@@ -1516,7 +1514,7 @@ do { \
 			case IPV6_2292DSTOPTS:
 			case IPV6_2292RTHDR:
 				/* RFC 2292 */
-				if (optlen != sizeof(int)) {
+				if (m == NULL || m->m_len != sizeof(int)) {
 					error = EINVAL;
 					break;
 				}
@@ -1595,6 +1593,10 @@ do { \
 				break;
 
 			case IPV6_PORTRANGE:
+				if (m == NULL || m->m_len != sizeof(int)) {
+					error = EINVAL;
+					break;
+				}
 				optval = *mtod(m, int *);
 
 				switch (optval) {
@@ -1961,13 +1963,11 @@ int
 ip6_raw_ctloutput(int op, struct socket *so, int level, int optname, 
 	struct mbuf **mp)
 {
-	int error = 0, optval, optlen;
+	int error = 0, optval;
 	const int icmp6off = offsetof(struct icmp6_hdr, icmp6_cksum);
 	struct inpcb *inp = sotoinpcb(so);
 	struct mbuf *m = *mp;
 
-	optlen = m ? m->m_len : 0;
-
 	if (level != IPPROTO_IPV6) {
 		if (op == PRCO_SETOPT && *mp)
 			(void)m_free(*mp);
@@ -1986,7 +1986,7 @@ ip6_raw_ctloutput(int op, struct socket *so, int level, int optname,
 		 */
 		switch (op) {
 		case PRCO_SETOPT:
-			if (optlen != sizeof(int)) {
+			if (m == NULL || m->m_len != sizeof(int)) {
 				error = EINVAL;
 				break;
 			}