Module Name: src Committed By: ozaki-r Date: Wed Mar 22 03:17:18 UTC 2023
Modified Files: src/sys/netinet6: raw_ip6.c Log Message: in6: make sure a user-specified checksum field is within a packet >From OpenBSD To generate a diff of this commit: cvs rdiff -u -r1.182 -r1.183 src/sys/netinet6/raw_ip6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/raw_ip6.c diff -u src/sys/netinet6/raw_ip6.c:1.182 src/sys/netinet6/raw_ip6.c:1.183 --- src/sys/netinet6/raw_ip6.c:1.182 Fri Nov 4 09:01:53 2022 +++ src/sys/netinet6/raw_ip6.c Wed Mar 22 03:17:18 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $ */ +/* $NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $ */ /* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $"); #ifdef _KERNEL_OPT #include "opt_ipsec.h" @@ -202,7 +202,16 @@ rip6_input(struct mbuf **mp, int *offp, continue; if (in6p_cksum(inp) != -1) { RIP6_STATINC(RIP6_STAT_ISUM); - if (in6_cksum(m, proto, *offp, + /* + * Although in6_cksum() does not need the position of + * the checksum field for verification, enforce that it + * is located within the packet. Userland has given + * a checksum offset, a packet too short for that is + * invalid. Avoid overflow with user supplied offset. + */ + if (m->m_pkthdr.len < *offp + 2 || + m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) || + in6_cksum(m, proto, *offp, m->m_pkthdr.len - *offp)) { RIP6_STATINC(RIP6_STAT_BADSUM); continue; @@ -470,7 +479,7 @@ rip6_output(struct mbuf *m, struct socke off = offsetof(struct icmp6_hdr, icmp6_cksum); else off = in6p_cksum(inp); - if (plen < off + 1) { + if (plen < 2 || plen - 2 < off) { error = EINVAL; goto bad; }