Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netinet Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/3dd908770731
branches: netbsd-8
changeset: 434785:3dd908770731
user: martin <martin%NetBSD.org@localhost>
date: Fri Mar 30 11:10:14 2018 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #668):
sys/netinet/ip_reass.c: revision 1.12
Add one more check in ip_reass_packet(): make sure that the end of each
fragment does not exceed IP_MAXPACKET.
In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.
But there is an integer overflow that can happen a little earlier. We
are doing:
i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
ntohs(ip->ip_off);
[...]
ip->ip_off = htons(ntohs(ip->ip_off) + i);
It is possible that
ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535
so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.
With the new check, it is guaranteed that ip_off+ip_len<=65535.
diffstat:
sys/netinet/ip_reass.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diffs (30 lines):
diff -r de2720e8215e -r 3dd908770731 sys/netinet/ip_reass.c
--- a/sys/netinet/ip_reass.c Fri Mar 30 11:07:12 2018 +0000
+++ b/sys/netinet/ip_reass.c Fri Mar 30 11:10:14 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $ */
+/* $NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $ */
/*
* Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -629,6 +629,11 @@
return EINVAL;
}
+ if (off + len > IP_MAXPACKET) {
+ IP_STATINC(IP_STAT_BADFRAGS);
+ return EINVAL;
+ }
+
/*
* Fragment length and MF flag. Make sure that fragments have
* a data length which is non-zero and multiple of 8 bytes.
Home |
Main Index |
Thread Index |
Old Index