Module Name: src
Committed By: ozaki-r
Date: Wed Mar 22 03:17:18 UTC 2023
Modified Files:
src/sys/netinet6: raw_ip6.c
Log Message:
in6: make sure a user-specified checksum field is within a packet
>From OpenBSD
To generate a diff of this commit:
cvs rdiff -u -r1.182 -r1.183 src/sys/netinet6/raw_ip6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.182 src/sys/netinet6/raw_ip6.c:1.183
--- src/sys/netinet6/raw_ip6.c:1.182 Fri Nov 4 09:01:53 2022
+++ src/sys/netinet6/raw_ip6.c Wed Mar 22 03:17:18 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $ */
+/* $NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.183 2023/03/22 03:17:18 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -202,7 +202,16 @@ rip6_input(struct mbuf **mp, int *offp,
continue;
if (in6p_cksum(inp) != -1) {
RIP6_STATINC(RIP6_STAT_ISUM);
- if (in6_cksum(m, proto, *offp,
+ /*
+ * Although in6_cksum() does not need the position of
+ * the checksum field for verification, enforce that it
+ * is located within the packet. Userland has given
+ * a checksum offset, a packet too short for that is
+ * invalid. Avoid overflow with user supplied offset.
+ */
+ if (m->m_pkthdr.len < *offp + 2 ||
+ m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) ||
+ in6_cksum(m, proto, *offp,
m->m_pkthdr.len - *offp)) {
RIP6_STATINC(RIP6_STAT_BADSUM);
continue;
@@ -470,7 +479,7 @@ rip6_output(struct mbuf *m, struct socke
off = offsetof(struct icmp6_hdr, icmp6_cksum);
else
off = in6p_cksum(inp);
- if (plen < off + 1) {
+ if (plen < 2 || plen - 2 < off) {
error = EINVAL;
goto bad;
}
