---
- branch: netbsd-8
  date: Sat Mar 31 10:38:53 UTC 2018
  files:
  - new: 1.161.6.1
    old: '1.161'
    path: src/sys/netinet/ip_icmp.c
    pathrev: src/sys/netinet/ip_icmp.c@1.161.6.1
    type: modified
  id: 20180331T103853Z.e5338bf779f430c6a32dc02a97c5f4e623379da4
  log: "Pull up following revision(s) (requested by maxv in ticket #675):\n\n\tsys/netinet/ip_icmp.c:
    revision 1.168\n\nFix a possible buffer overflow in the IPv4 _ctlinput functions.\n\nIn
    _icmp_input we are guaranteeing that the ICMP_ADVLENMIN-byte area\nstarting from
    'icp' is contiguous.\n\n        ICMP_ADVLENMIN = 8 + sizeof(struct ip) + 8 = 36\n\nBut
    the _ctlinput functions (eg udp_ctlinput) expect the area to be\nlarger. These
    functions read at:\n\n        (uint8_t *)icp + 8 + (icp->icmp_ip.ip_hl << 2)\n\nwhich
    can be crafted to be:\n\n        (uint8_t *)icp + 68\n\nSo we end up reading 'icp+68'
    while the valid area ended at 'icp+36'.\n\nHaving said that, it seems pretty complicated
    to trigger this bug; it\nwould have to be a fragmented packet with half of the
    ICMP header in the\nfirst fragment, and we would need to have a driver that did
    not allocate\na cluster for the first mbuf of the chain.\n\nThe check of icmplen
    against ICMP_ADVLEN(icp) was not sufficient: while it\ndid guarantee that the
    ICMP header fit the chain, it did not guarantee\nthat it fit 'm'.\n\nFix this
    bug by pulling up to hlen+ICMP_ADVLEN(icp). No need to log an\nerror. Rebase the
    pointers afterwards.\n"
  module: src
  subject: 'CVS commit: [netbsd-8] src/sys/netinet'
  unixtime: '1522492733'
  user: martin