Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src/sys/netinet Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/54d8b6ef7c52
branches: netbsd-6
changeset: 777132:54d8b6ef7c52
user: snj <snj%NetBSD.org@localhost>
date: Sun Feb 05 06:07:36 2017 +0000
description:
Pull up following revision(s) (requested by maxv in ticket #1432):
sys/netinet/if_arp.c: 1.238, 1.239 via patch
Make sure the protocol address length equals that of IPv4. Also, make sure
the hardware address length equals that of the interface we received the
packet on. Otherwise a packet could easily set them both to zero and make
the kernel read beyond the allocated mbuf, which is terrible.
Note: for the latter we drop the packet instead of replying, since it is
malformed.
Note: I also added an ugly hack in CARP, since it apparently expects at
least six bytes.
--
Add some checks, mostly same as in_arpinput.
diffstat:
sys/netinet/if_arp.c | 31 +++++++++++++++++++++----------
1 files changed, 21 insertions(+), 10 deletions(-)
diffs (81 lines):
diff -r 76a66ec56582 -r 54d8b6ef7c52 sys/netinet/if_arp.c
--- a/sys/netinet/if_arp.c Sun Feb 05 06:01:05 2017 +0000
+++ b/sys/netinet/if_arp.c Sun Feb 05 06:07:36 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $ */
+/* $NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $ */
/*-
* Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc.
@@ -68,7 +68,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.2 2015/11/15 17:51:52 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.154.2.3 2017/02/05 06:07:36 snj Exp $");
#include "opt_ddb.h"
#include "opt_inet.h"
@@ -975,6 +975,9 @@
break;
}
+ if (ah->ar_pln != sizeof(struct in_addr))
+ goto out;
+
memcpy(&isaddr, ar_spa(ah), sizeof (isaddr));
memcpy(&itaddr, ar_tpa(ah), sizeof (itaddr));
@@ -1005,7 +1008,10 @@
((ia->ia_ifp->if_flags & (IFF_UP|IFF_RUNNING)) ==
(IFF_UP|IFF_RUNNING))) {
index++;
+
+ /* XXX: ar_hln? */
if (ia->ia_ifp == m->m_pkthdr.rcvif &&
+ (ah->ar_hln >= 6) &&
carp_iamatch(ia, ar_sha(ah),
&count, index)) {
break;
@@ -1037,6 +1043,14 @@
}
#endif
+ if (ah->ar_hln != ifp->if_addrlen) {
+ ARP_STATINC(ARP_STAT_RCVBADLEN);
+ log(LOG_WARNING,
+ "arp from %s: addr len: new %d, i/f %d (ignored)\n",
+ in_fmtaddr(isaddr), ah->ar_hln, ifp->if_addrlen);
+ goto out;
+ }
+
if (ia == NULL) {
INADDR_TO_IA(isaddr, ia);
while ((ia != NULL) && ia->ia_ifp != m->m_pkthdr.rcvif)
@@ -1131,14 +1145,7 @@
"arp from %s: new addr len %d, was %d\n",
in_fmtaddr(isaddr), ah->ar_hln, sdl->sdl_alen);
}
- if (ifp->if_addrlen != ah->ar_hln) {
- ARP_STATINC(ARP_STAT_RCVBADLEN);
- log(LOG_WARNING,
- "arp from %s: addr len: new %d, i/f %d (ignored)\n",
- in_fmtaddr(isaddr), ah->ar_hln,
- ifp->if_addrlen);
- goto reply;
- }
+
#if NTOKEN > 0
/*
* XXX uses m_data and assumes the complete answer including
@@ -1437,6 +1444,10 @@
tha = ar_tha(ah);
if (tha == NULL)
goto out;
+ if (ah->ar_pln != sizeof(struct in_addr))
+ goto out;
+ if (ah->ar_hln != ifp->if_sadl->sdl_alen)
+ goto out;
if (memcmp(tha, CLLADDR(ifp->if_sadl), ifp->if_sadl->sdl_alen))
goto out;
memcpy(&srv_ip, ar_spa(ah), sizeof(srv_ip));
Home |
Main Index |
Thread Index |
Old Index