From ec79019cbd43b35fc49cba5b2a0f03176646b7b4 Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Fri, 8 Dec 2017 22:10:35 +0000 Subject: Pullup the mbuf before accessing the version field in the IP header. Fix the pullup length of the shim header in mpls_do_error(). issue reported by Maxime Villard; OK deraadt@ claudio@ --- sys/netmpls/mpls_input.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/netmpls/mpls_input.c b/sys/netmpls/mpls_input.c index c7b5c0d4a15..1a470a61f7b 100644 --- a/sys/netmpls/mpls_input.c +++ b/sys/netmpls/mpls_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mpls_input.c,v 1.64 2017/12/08 21:59:05 claudio Exp $ */ +/* $OpenBSD: mpls_input.c,v 1.65 2017/12/08 22:10:34 bluhm Exp $ */ /* * Copyright (c) 2008 Claudio Jeker @@ -154,6 +154,11 @@ do_v6: return; #endif /* INET6 */ case MPLS_LABEL_IMPLNULL: + if (m->m_len < sizeof(u_char) && + (m = m_pullup(m, sizeof(u_char))) == NULL) { + if_put(ifp); + return; + } switch (*mtod(m, u_char *) >> 4) { case IPVERSION: goto do_v4; @@ -362,7 +367,7 @@ mpls_do_error(struct mbuf *m, int type, int code, int destmtu) for (nstk = 0; nstk < MPLS_INKERNEL_LOOP_MAX; nstk++) { if (m->m_len < sizeof(*shim) && - (m = m_pullup(m, sizeof(*ip))) == NULL) + (m = m_pullup(m, sizeof(*shim))) == NULL) return (NULL); stack[nstk] = *mtod(m, struct shim_hdr *); m_adj(m, sizeof(*shim)); @@ -371,6 +376,9 @@ mpls_do_error(struct mbuf *m, int type, int code, int destmtu) } shim = &stack[0]; + if (m->m_len < sizeof(u_char) && + (m = m_pullup(m, sizeof(u_char))) == NULL) + return (NULL); switch (*mtod(m, u_char *) >> 4) { case IPVERSION: if (m->m_len < sizeof(*ip) && -- cgit v1.2.3