Module Name: src Committed By: maxv Date: Tue Jan 23 10:46:59 UTC 2018
Modified Files: src/sys/netinet6: icmp6.c Log Message: Fix the check on 'maxlen', we are not creating struct icmp6_hdr but struct nd_redirect (which is bigger). Also, make sure we can add a struct nd_opt_rd_hdr. Normally this doesn't change anything, since the mbuf has IPV6_MMTU bytes, and it's always way bigger than what we need. To generate a diff of this commit: cvs rdiff -u -r1.217 -r1.218 src/sys/netinet6/icmp6.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/icmp6.c diff -u src/sys/netinet6/icmp6.c:1.217 src/sys/netinet6/icmp6.c:1.218 --- src/sys/netinet6/icmp6.c:1.217 Tue Jan 23 10:32:50 2018 +++ src/sys/netinet6/icmp6.c Tue Jan 23 10:46:59 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $ */ +/* $NetBSD: icmp6.c,v 1.218 2018/01/23 10:46:59 maxv Exp $ */ /* $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.217 2018/01/23 10:32:50 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.218 2018/01/23 10:46:59 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -2544,8 +2544,9 @@ icmp6_redirect_output(struct mbuf *m0, s m->m_len = 0; maxlen = M_TRAILINGSPACE(m); maxlen = min(IPV6_MMTU, maxlen); + /* just for safety */ - if (maxlen < sizeof(struct ip6_hdr) + sizeof(struct icmp6_hdr) + + if (maxlen < sizeof(struct ip6_hdr) + sizeof(struct nd_redirect) + ((sizeof(struct nd_opt_hdr) + ifp->if_addrlen + 7) & ~7)) { goto fail; } @@ -2666,6 +2667,10 @@ icmp6_redirect_output(struct mbuf *m0, s len = maxlen - (p - (u_char *)ip6); len &= ~7; + if (len < sizeof(*nd_opt_rh)) { + goto noredhdropt; + } + /* * Redirected header option spec (RFC2461 4.6.3) talks nothing * about padding/truncate rule for the original IP packet.