netinet6

Martin Husemann Thu, 23 Mar 2023 05:03:19 -0700

Module Name:    src
Committed By:   martin
Date:           Thu Mar 23 12:03:04 UTC 2023


Modified Files:
        src/sys/netinet6 [netbsd-10]: ip6_output.c raw_ip6.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #125):

        sys/netinet6/raw_ip6.c: revision 1.183
        sys/netinet6/ip6_output.c: revision 1.233

in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.

in6: make sure a user-specified checksum field is within a packet
>From OpenBSD


To generate a diff of this commit:
cvs rdiff -u -r1.231 -r1.231.2.1 src/sys/netinet6/ip6_output.c
cvs rdiff -u -r1.182 -r1.182.2.1 src/sys/netinet6/raw_ip6.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_output.c
diff -u src/sys/netinet6/ip6_output.c:1.231 src/sys/netinet6/ip6_output.c:1.231.2.1
--- src/sys/netinet6/ip6_output.c:1.231	Fri Oct 28 05:25:36 2022
+++ src/sys/netinet6/ip6_output.c	Thu Mar 23 12:03:04 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231 2022/10/28 05:25:36 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.231.2.1 2023/03/23 12:03:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1986,8 +1986,12 @@ ip6_raw_ctloutput(int op, struct socket 
 			error = sockopt_getint(sopt, &optval);
 			if (error)
 				break;
-			if ((optval % 2) != 0) {
-				/* the API assumes even offset values */
+			if (optval < -1 ||
+			    (optval > 0 && (optval % 2) != 0)) {
+				/*
+				 * The API assumes non-negative even offset
+				 * values or -1 as a special value.
+				 */
 				error = EINVAL;
 			} else if (so->so_proto->pr_protocol ==
 			    IPPROTO_ICMPV6) {

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.182 src/sys/netinet6/raw_ip6.c:1.182.2.1
--- src/sys/netinet6/raw_ip6.c:1.182	Fri Nov  4 09:01:53 2022
+++ src/sys/netinet6/raw_ip6.c	Thu Mar 23 12:03:04 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182 2022/11/04 09:01:53 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.182.2.1 2023/03/23 12:03:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -202,7 +202,16 @@ rip6_input(struct mbuf **mp, int *offp, 
 			continue;
 		if (in6p_cksum(inp) != -1) {
 			RIP6_STATINC(RIP6_STAT_ISUM);
-			if (in6_cksum(m, proto, *offp,
+			/*
+			 * Although in6_cksum() does not need the position of
+			 * the checksum field for verification, enforce that it
+			 * is located within the packet.  Userland has given
+			 * a checksum offset, a packet too short for that is
+			 * invalid.  Avoid overflow with user supplied offset.
+			 */
+			if (m->m_pkthdr.len < *offp + 2 ||
+			    m->m_pkthdr.len - *offp - 2 < in6p_cksum(inp) ||
+			    in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				RIP6_STATINC(RIP6_STAT_BADSUM);
 				continue;
@@ -470,7 +479,7 @@ rip6_output(struct mbuf *m, struct socke
 			off = offsetof(struct icmp6_hdr, icmp6_cksum);
 		else
 			off = in6p_cksum(inp);
-		if (plen < off + 1) {
+		if (plen < 2 || plen - 2 < off) {
 			error = EINVAL;
 			goto bad;
 		}

CVS commit: [netbsd-10] src/sys/netinet6

Reply via email to