[src/trunk]: src/sys/netinet Fix possible buffer overflow. We need to make su...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d858afb896e8
branches:  trunk
changeset: 832330:d858afb896e8
user:      maxv <maxv%NetBSD.org@localhost>
date:      Mon May 07 19:34:03 2018 +0000

description:
Fix possible buffer overflow. We need to make sure the inner IPv4 packet
doesn't have options, because we validate only an option-less header.

diffstat:

 sys/netinet/ip_mroute.c |  11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diffs (32 lines):

diff -r c937e219bd88 -r d858afb896e8 sys/netinet/ip_mroute.c
--- a/sys/netinet/ip_mroute.c   Mon May 07 15:03:19 2018 +0000
+++ b/sys/netinet/ip_mroute.c   Mon May 07 19:34:03 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $     */
+/*     $NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $     */
 
 /*
  * Copyright (c) 1992, 1993
@@ -93,7 +93,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.157 2018/04/11 06:26:00 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.158 2018/05/07 19:34:03 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -3070,6 +3070,13 @@
                        return;
                }
 
+               /* verify the inner packet doesn't have options */
+               if (encap_ip->ip_hl != (sizeof(struct ip) >> 2)) {
+                       pimstat.pims_rcv_badregisters++;
+                       m_freem(m);
+                       return;
+               }
+
                /* verify the inner packet is destined to a mcast group */
                if (!IN_MULTICAST(encap_ip->ip_dst.s_addr)) {
                        pimstat.pims_rcv_badregisters++;