Now
netbsd-8 commitmail json YAML
Pull up following revision(s) (requested by maxv in ticket #675):
sys/netinet/ip_icmp.c: revision 1.168
Fix a possible buffer overflow in the IPv4 _ctlinput functions.
In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.
ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36
But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:
(uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)
which can be crafted to be:
(uint8_t *)icp + 68
So we end up reading 'icp+68' while the valid area ended at 'icp+36'.
Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.
The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.
Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.
sys/netinet/ip_icmp.c: revision 1.168
Fix a possible buffer overflow in the IPv4 _ctlinput functions.
In _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area
starting from 'icp' is contiguous.
ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36
But the _ctlinput functions (eg udp_ctlinput) expect the area to be
larger. These functions read at:
(uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)
which can be crafted to be:
(uint8_t *)icp + 68
So we end up reading 'icp+68' while the valid area ended at 'icp+36'.
Having said that, it seems pretty complicated to trigger this bug; it
would have to be a fragmented packet with half of the ICMP header in the
first fragment, and we would need to have a driver that did not allocate
a cluster for the first mbuf of the chain.
The check of icmplen against ICMP_ADVLEN(icp) was not sufficient: while it
did guarantee that the ICMP header fit the chain, it did not guarantee
that it fit 'm'.
Fix this bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an
error. Rebase the pointers afterwards.