Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netinet6 Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/b7491b0d1114
branches: netbsd-8
changeset: 373987:b7491b0d1114
user: martin <martin%NetBSD.org@localhost>
date: Thu Mar 23 12:08:39 2023 +0000
description:
Pull up following revision(s) (requested by ozaki-r in ticket #1808):
sys/netinet6/raw_ip6.c: revision 1.183 (via patch)
sys/netinet6/ip6_output.c: revision 1.233
in6: reject setting negative values but -1 via setsockopt(IPV6_CHECKSUM)
Same as OpenBSD.
in6: make sure a user-specified checksum field is within a packet
>From OpenBSD
diffstat:
sys/netinet6/ip6_output.c | 12 ++++++++----
sys/netinet6/raw_ip6.c | 17 +++++++++++++----
2 files changed, 21 insertions(+), 8 deletions(-)
diffs (78 lines):
diff -r 8e6963282ab3 -r b7491b0d1114 sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Mon Mar 13 21:36:56 2023 +0000
+++ b/sys/netinet6/ip6_output.c Thu Mar 23 12:08:39 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $ */
+/* $NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.4 2018/01/02 10:20:34 snj Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.191.6.5 2023/03/23 12:08:39 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -2028,8 +2028,12 @@ ip6_raw_ctloutput(int op, struct socket
error = sockopt_getint(sopt, &optval);
if (error)
break;
- if ((optval % 2) != 0) {
- /* the API assumes even offset values */
+ if (optval < -1 ||
+ (optval > 0 && (optval % 2) != 0)) {
+ /*
+ * The API assumes non-negative even offset
+ * values or -1 as a special value.
+ */
error = EINVAL;
} else if (so->so_proto->pr_protocol ==
IPPROTO_ICMPV6) {
diff -r 8e6963282ab3 -r b7491b0d1114 sys/netinet6/raw_ip6.c
--- a/sys/netinet6/raw_ip6.c Mon Mar 13 21:36:56 2023 +0000
+++ b/sys/netinet6/raw_ip6.c Thu Mar 23 12:08:39 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $ */
+/* $NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $ */
/* $KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.5 2019/01/29 07:04:09 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.157.2.6 2023/03/23 12:08:39 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_ipsec.h"
@@ -192,7 +192,16 @@ rip6_input(struct mbuf **mp, int *offp,
continue;
if (in6p->in6p_cksum != -1) {
RIP6_STATINC(RIP6_STAT_ISUM);
- if (in6_cksum(m, proto, *offp,
+ /*
+ * Although in6_cksum() does not need the position of
+ * the checksum field for verification, enforce that it
+ * is located within the packet. Userland has given
+ * a checksum offset, a packet too short for that is
+ * invalid. Avoid overflow with user supplied offset.
+ */
+ if (m->m_pkthdr.len < *offp + 2 ||
+ m->m_pkthdr.len - *offp - 2 < in6p->in6p_cksum ||
+ in6_cksum(m, proto, *offp,
m->m_pkthdr.len - *offp)) {
RIP6_STATINC(RIP6_STAT_BADSUM);
continue;
@@ -491,7 +500,7 @@ rip6_output(struct mbuf *m, struct socke
off = offsetof(struct icmp6_hdr, icmp6_cksum);
else
off = in6p->in6p_cksum;
- if (plen < off + 1) {
+ if (plen < 2 || plen - 2 < off) {
error = EINVAL;
goto bad;
}
Home |
Main Index |
Thread Index |
Old Index