Module Name: src Committed By: maxv Date: Tue Jan 23 10:32:50 UTC 2018
Modified Files: src/sys/netinet6: icmp6.c Log Message: Fix info leak. We are allocating a slot of size: roundup(sizeof(*nd_opt) + ifp->if_addrlen, 8) But we are not filling in the padding caused by the roundup, and therefore several bytes are leaked, in the mbuf we're about to send to the network. To generate a diff of this commit: cvs rdiff -u -r1.216 -r1.217 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.216 src/sys/netinet6/icmp6.c:1.217 --- src/sys/netinet6/icmp6.c:1.216 Tue Jan 23 09:21:59 2018 +++ src/sys/netinet6/icmp6.c Tue Jan 23 10:32:50 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $ */ +/* $NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.216 2018/01/23 09:21:59 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2616,7 +2616,7 @@ icmp6_redirect_output(struct mbuf *m0, s { /* target lladdr option */ struct llentry *ln = NULL; - int len; + int len, pad; struct nd_opt_hdr *nd_opt; char *lladdr; @@ -2625,17 +2625,21 @@ icmp6_redirect_output(struct mbuf *m0, s goto nolladdropt; len = sizeof(*nd_opt) + ifp->if_addrlen; len = (len + 7) & ~7; /* round by 8 */ + pad = len - (sizeof(*nd_opt) + ifp->if_addrlen); + /* safety check */ if (len + (p - (u_char *)ip6) > maxlen) { LLE_RUNLOCK(ln); goto nolladdropt; } + if (ln->la_flags & LLE_VALID) { nd_opt = (struct nd_opt_hdr *)p; nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR; nd_opt->nd_opt_len = len >> 3; lladdr = (char *)(nd_opt + 1); memcpy(lladdr, &ln->ll_addr, ifp->if_addrlen); + memset(lladdr + ifp->if_addrlen, 0, pad); p += len; } LLE_RUNLOCK(ln);