Module Name: src
Committed By: maxv
Date: Tue Jan 23 10:32:50 UTC 2018
Modified Files:
src/sys/netinet6: icmp6.c
Log Message:
Fix info leak. We are allocating a slot of size:
roundup(sizeof(*nd_opt) + ifp->if_addrlen, 8)
But we are not filling in the padding caused by the roundup, and therefore
several bytes are leaked, in the mbuf we're about to send to the network.
To generate a diff of this commit:
cvs rdiff -u -r1.216 -r1.217 src/sys/netinet6/icmp6.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/icmp6.c
diff -u src/sys/netinet6/icmp6.c:1.216 src/sys/netinet6/icmp6.c:1.217
--- src/sys/netinet6/icmp6.c:1.216 Tue Jan 23 09:21:59 2018
+++ src/sys/netinet6/icmp6.c Tue Jan 23 10:32:50 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $ */
+/* $NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $ */
/* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2616,7 +2616,7 @@ icmp6_redirect_output(struct mbuf *m0, s
{
/* target lladdr option */
struct llentry *ln = NULL;
- int len;
+ int len, pad;
struct nd_opt_hdr *nd_opt;
char *lladdr;
@@ -2625,17 +2625,21 @@ icmp6_redirect_output(struct mbuf *m0, s
goto nolladdropt;
len = sizeof(*nd_opt) + ifp->if_addrlen;
len = (len + 7) & ~7; /* round by 8 */
+ pad = len - (sizeof(*nd_opt) + ifp->if_addrlen);
+
/* safety check */
if (len + (p - (u_char *)ip6) > maxlen) {
LLE_RUNLOCK(ln);
goto nolladdropt;
}
+
if (ln->la_flags & LLE_VALID) {
nd_opt = (struct nd_opt_hdr *)p;
nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
nd_opt->nd_opt_len = len >> 3;
lladdr = (char *)(nd_opt + 1);
memcpy(lladdr, &ln->ll_addr, ifp->if_addrlen);
+ memset(lladdr + ifp->if_addrlen, 0, pad);
p += len;
}
LLE_RUNLOCK(ln);
