[Midnightbsd-cvs] src [7422] A lack of proper input checks in the ICMPv6 processing in the SCTP stack
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Jan 14 08:45:10 EST 2016
Revision: 7422
http://svnweb.midnightbsd.org/src/?rev=7422
Author: laffer1
Date: 2016-01-14 08:43:09 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
A lack of proper input checks in the ICMPv6 processing in the SCTP stack
can lead to either a failed kernel assertion or to a NULL pointer
dereference. In either case, a kernel panic will follow.
Obtained from: FreeBSD
Modified Paths:
--------------
stable/0.7/sys/netinet6/sctp6_usrreq.c
Property Changed:
----------------
stable/0.7/
Index: stable/0.7
===================================================================
--- stable/0.7 2016-01-14 13:42:09 UTC (rev 7421)
+++ stable/0.7 2016-01-14 13:43:09 UTC (rev 7422)
Property changes on: stable/0.7
___________________________________________________________________
Modified: svn:mergeinfo
## -1 +1 ##
-/trunk:7416,7419
\ No newline at end of property
+/trunk:7416,7419,7421
\ No newline at end of property
Modified: stable/0.7/sys/netinet6/sctp6_usrreq.c
===================================================================
--- stable/0.7/sys/netinet6/sctp6_usrreq.c 2016-01-14 13:42:09 UTC (rev 7421)
+++ stable/0.7/sys/netinet6/sctp6_usrreq.c 2016-01-14 13:43:09 UTC (rev 7422)
@@ -502,7 +502,6 @@
* XXX: We assume that when IPV6 is non NULL, M and OFF are
* valid.
*/
- /* check if we can safely examine src and dst ports */
struct sctp_inpcb *inp = NULL;
struct sctp_tcb *stcb = NULL;
struct sctp_nets *net = NULL;
@@ -511,6 +510,10 @@
if (ip6cp->ip6c_m == NULL)
return;
+ /* Check if we can safely examine the SCTP header. */
+ if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
+ return;
+
bzero(&sh, sizeof(sh));
bzero(&final, sizeof(final));
inp = NULL;
More information about the Midnightbsd-cvs
mailing list