[src/trunk]: src/sys/netinet6 Fix 'icmp6len', it shouldn't be ip6_plen, becau...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9ba9303cb598
branches:  trunk
changeset: 322035:9ba9303cb598
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Apr 14 17:55:47 2018 +0000

description:
Fix 'icmp6len', it shouldn't be ip6_plen, because we may not be at the
beginning of the packet (off+ip6_plen is beyond the end of the mbuf). By
luck, the IP6_EXTHDR_GET that follows will fail and prevent buffer
overflows in non-jumbogram packets.

For jumbograms we will probably be in trouble here; but it doesn't seem
possible to craft reliably a jumbogram for a non-jumbogram-enabled device.

So I don't think it's a huge problem.

diffstat:

 sys/netinet6/icmp6.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r 665c2fb0ac59 -r 9ba9303cb598 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c      Sat Apr 14 17:52:51 2018 +0000
+++ b/sys/netinet6/icmp6.c      Sat Apr 14 17:55:47 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $ */
+/*     $NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $ */
 /*     $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.229 2018/04/14 14:59:58 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.230 2018/04/14 17:55:47 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2224,7 +2224,7 @@
        struct ifnet *ifp;
        struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
        struct nd_redirect *nd_rd;
-       int icmp6len = ntohs(ip6->ip6_plen);
+       int icmp6len = m->m_pkthdr.len - off;
        char *lladdr = NULL;
        int lladdrlen = 0;
        struct rtentry *rt = NULL;