[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.40 (via patch, requeste...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/703fbea103da
branches:  netbsd-1-5
changeset: 490773:703fbea103da
user:      he <he%NetBSD.org@localhost>
date:      Mon Feb 26 22:59:26 2001 +0000

description:
Pull up revision 1.40 (via patch, requested by itojun):
  Tighten IPv6 ND6/dest6 option chasing bounds check.

diffstat:

 sys/netinet6/nd6.c |  25 +++++++++++++++++++++----
 1 files changed, 21 insertions(+), 4 deletions(-)

diffs (53 lines):

diff -r 014aa841ffa9 -r 703fbea103da sys/netinet6/nd6.c
--- a/sys/netinet6/nd6.c        Mon Feb 26 22:59:09 2001 +0000
+++ b/sys/netinet6/nd6.c        Mon Feb 26 22:59:26 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: nd6.c,v 1.30.4.1 2000/07/20 00:07:05 itojun Exp $      */
+/*     $NetBSD: nd6.c,v 1.30.4.2 2001/02/26 22:59:26 he Exp $  */
 /*     $KAME: nd6.c,v 1.68 2000/07/02 14:48:02 itojun Exp $    */
 
 /*
@@ -165,8 +165,14 @@
 
 #define ND nd_ifinfo[ifp->if_index]
 
-       /* don't initialize if called twice */
-       if (ND.linkmtu)
+       /*
+        * Don't initialize if called twice.
+        * XXX: to detect this, we should choose a member that is never set
+        * before initialization of the ND structure itself.  We formaly used
+        * the linkmtu member, which was not suitable because it could be 
+        * initialized via "ifconfig mtu".
+        */
+       if (ND.basereachable)
                return;
 
        ND.linkmtu = ifindex2ifnet[ifp->if_index]->if_mtu;
@@ -272,6 +278,12 @@
 
        nd_opt = ndopts->nd_opts_search;
 
+       /* make sure nd_opt_len is inside the buffer */
+       if ((caddr_t)&nd_opt->nd_opt_len >= (caddr_t)ndopts->nd_opts_last) {
+               bzero(ndopts, sizeof(*ndopts));
+               return NULL;
+       }
+
        olen = nd_opt->nd_opt_len << 3;
        if (olen == 0) {
                /*
@@ -283,7 +295,12 @@
        }
 
        ndopts->nd_opts_search = (struct nd_opt_hdr *)((caddr_t)nd_opt + olen);
-       if (!(ndopts->nd_opts_search < ndopts->nd_opts_last)) {
+       if (ndopts->nd_opts_search > ndopts->nd_opts_last) {
+               /* option overruns the end of buffer, invalid */
+               bzero(ndopts, sizeof(*ndopts));
+               return NULL;
+       } else if (ndopts->nd_opts_search == ndopts->nd_opts_last) {
+               /* reached the end of options chain */
                ndopts->nd_opts_done = 1;
                ndopts->nd_opts_search = NULL;
        }