Fixup the case where an mbuf cluster is used. Correctly offset the data to

the end of the cluster (there is no M_ALIGN version for clusters so it is
hard coded). Also make the sanity check more general by using m_leadingspace.
Not a security issue since the cluster code is not reachable, there is enough
space in an mbuf.
OK bluhm@

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 4357de328dc..d911e72d3d2 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_icmp.c,v 1.177 2018/09/06 03:42:21 miko Exp $	*/
+/*	$OpenBSD: ip_icmp.c,v 1.178 2018/11/05 10:06:10 claudio Exp $	*/
 /*	$NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $	*/
 
 /*
@@ -226,6 +226,9 @@ icmp_do_error(struct mbuf *n, int type, int code, u_int32_t dest, int destmtu)
 	m->m_len = icmplen + ICMP_MINLEN;
 	if ((m->m_flags & M_EXT) == 0)
 		MH_ALIGN(m, m->m_len);
+	else
+		m->m_data += (m->m_ext.ext_size - m->m_len) &
+		    ~(sizeof(long) - 1);
 	icp = mtod(m, struct icmp *);
 	if ((u_int)type > ICMP_MAXTYPE)
 		panic("icmp_error");
@@ -254,8 +257,7 @@ icmp_do_error(struct mbuf *n, int type, int code, u_int32_t dest, int destmtu)
 	 * Now, copy old ip header (without options)
 	 * in front of icmp message.
 	 */
-	if ((m->m_flags & M_EXT) == 0 &&
-	    m->m_data - sizeof(struct ip) < m->m_pktdat)
+	if (m_leadingspace(m) < sizeof(struct ip))
 		panic("icmp len");
 	m->m_data -= sizeof(struct ip);
 	m->m_len += sizeof(struct ip);