[src/netbsd-8]: src/sys/netinet Pull up following revision(s) (requested by m...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/052a25b89c26
branches:  netbsd-8
changeset: 851521:052a25b89c26
user:      martin <martin%NetBSD.org@localhost>
date:      Fri Mar 30 11:10:14 2018 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #668):
        sys/netinet/ip_reass.c: revision 1.12

Add one more check in ip_reass_packet(): make sure that the end of each
fragment does not exceed IP_MAXPACKET.

In ip_reass(), we only check the final length of the reassembled packet
against IP_MAXPACKET.

But there is an integer overflow that can happen a little earlier. We
are doing:

        i = ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) -
            ntohs(ip->ip_off);
        [...]
        ip->ip_off = htons(ntohs(ip->ip_off) + i);

It is possible that

        ntohs(p->ipqe_ip->ip_off) + ntohs(p->ipqe_ip->ip_len) > 65535

so the computation of ip_off wraps to zero. This breaks an assumption in
the reassembler - it expects the list of fragments to be ordered by
offset, and here it's not ordered anymore. (Un)Fortunately I couldn't
turn this into anything exploitable.

With the new check, it is guaranteed that ip_off+ip_len<=65535.

diffstat:

 sys/netinet/ip_reass.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (30 lines):

diff -r 2748088ddea0 -r 052a25b89c26 sys/netinet/ip_reass.c
--- a/sys/netinet/ip_reass.c    Fri Mar 30 11:07:12 2018 +0000
+++ b/sys/netinet/ip_reass.c    Fri Mar 30 11:10:14 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $    */
+/*     $NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1988, 1993
@@ -46,7 +46,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11 2017/01/11 13:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_reass.c,v 1.11.8.1 2018/03/30 11:10:14 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -629,6 +629,11 @@
                return EINVAL;
        }
 
+       if (off + len > IP_MAXPACKET) {
+               IP_STATINC(IP_STAT_BADFRAGS);
+               return EINVAL;
+       }
+
        /*
         * Fragment length and MF flag.  Make sure that fragments have
         * a data length which is non-zero and multiple of 8 bytes.