Re: CVS commit: src/sys/net/npf

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: CVS commit: src/sys/net/npf
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Wed, 31 Jan 2018 08:01:58 +0100

Le 31/01/2018 à 00:18, Mindaugas Rasiukevicius a écrit :

[...]

Fix this by using uint32_t. While here, it seems to me there is also a
memory overflow: still in npf_cache_ip, npc_hlen may be incremented with
a value that goes beyond the mbuf.

[...]
If the npc_hlen value is beyond the packet length, NPF's nbuf interface
will catch that, since it performs the bounds check.


I meant to say that the IPv6 loop in npf_cache_ip seems suspicious to me.

	while (nbuf_advance(nbuf, hlen, 0) != NULL) {
		[...]
		hlen = (ip6e->ip6e_len + 1) << 3;
		[...]
		npc->npc_hlen += hlen;
	}
	[continue execution...]

Here, if you have a 'hlen' that goes beyond the mbuf, nbuf_advance will fail,
and we're not handling this case. npc_hlen got incremented along the way, and
it now points past the end of the mbuf.

Perhaps that's handled properly later, but in all cases, we ought to handle
the error right here instead of processing the packet any further.

Note however that NPF is rather at the end of my TODO list, and I'll come back
to it later.

Maxime

References:
- Re: CVS commit: src/sys/net/npf
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: CVS commit: src/sys/net/npf
Next by Date: Re: dstemp(4)
Previous by Thread: Re: CVS commit: src/sys/net/npf
Next by Thread: Re: dstemp(4)
Indexes:

Home | Main Index | Thread Index | Old Index