Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/net Pull up the following revisions(s) (requested by ...

details:   https://anonhg.NetBSD.org/src/rev/5b07a486e32d
branches:  netbsd-8
changeset: 365948:5b07a486e32d
user:      sborrill <sborrill%NetBSD.org@localhost>
date:      Wed May 04 15:36:35 2022 +0000

description:
Pull up the following revisions(s) (requested by martin in ticket #1740):
        sys/net/if_pppoe.c:     revision 1.179

pppoe(4): fix CVE-2022-29867 - discovery phase local network
mbuf corruption.

diffstat:

 sys/net/if_pppoe.c |  15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diffs (50 lines):

diff -r 5abaf554dfde -r 5b07a486e32d sys/net/if_pppoe.c
--- a/sys/net/if_pppoe.c        Wed Apr 27 16:56:09 2022 +0000
+++ b/sys/net/if_pppoe.c        Wed May 04 15:36:35 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_pppoe.c,v 1.125.6.10 2020/02/13 19:37:39 martin Exp $ */
+/* $NetBSD: if_pppoe.c,v 1.125.6.11 2022/05/04 15:36:35 sborrill Exp $ */
 
 /*-
  * Copyright (c) 2002, 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.125.6.10 2020/02/13 19:37:39 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.125.6.11 2022/05/04 15:36:35 sborrill Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pppoe.h"
@@ -871,6 +871,10 @@
                        }
                        sc->sc_ac_cookie_len = ac_cookie_len;
                        memcpy(sc->sc_ac_cookie, ac_cookie, ac_cookie_len);
+               } else if (sc->sc_ac_cookie) {
+                       free(sc->sc_ac_cookie, M_DEVBUF);
+                       sc->sc_ac_cookie = NULL;
+                       sc->sc_ac_cookie_len = 0;
                }
                if (relay_sid) {
                        if (sc->sc_relay_sid)
@@ -886,6 +890,10 @@
                        }
                        sc->sc_relay_sid_len = relay_sid_len;
                        memcpy(sc->sc_relay_sid, relay_sid, relay_sid_len);
+               } else if (sc->sc_relay_sid) {
+                       free(sc->sc_relay_sid, M_DEVBUF);
+                       sc->sc_relay_sid = NULL;
+                       sc->sc_relay_sid_len = 0;
                }
                memcpy(&sc->sc_dest, eh->ether_shost, sizeof sc->sc_dest);
                callout_stop(&sc->sc_timeout);
@@ -1313,6 +1321,9 @@
 {
        struct mbuf *m;
 
+       if (len + sizeof(struct ether_header) > MCLBYTES)
+               return NULL;
+
        MGETHDR(m, M_DONTWAIT, MT_DATA);
        if (m == NULL)
                return NULL;
Home | Main Index | Thread Index | Old Index