[Midnightbsd-cvs] src [12124] trunk/sys/netinet/ip_icmp.c: ICMP buffer underwrite
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Nov 30 15:23:44 EST 2018
Revision: 12124
http://svnweb.midnightbsd.org/src/?rev=12124
Author: laffer1
Date: 2018-11-30 15:23:43 -0500 (Fri, 30 Nov 2018)
Log Message:
-----------
ICMP buffer underwrite
The icmp_error routine allocates either an mbuf or a cluster depending on the
size of the data to be quoted in the ICMP reply, but the calculation failed
to account for additional padding on 64-bit platforms when using a
non-default sysctl value for net.inet.icmp.quotelen.
Modified Paths:
--------------
trunk/sys/netinet/ip_icmp.c
Modified: trunk/sys/netinet/ip_icmp.c
===================================================================
--- trunk/sys/netinet/ip_icmp.c 2018-11-25 20:40:09 UTC (rev 12123)
+++ trunk/sys/netinet/ip_icmp.c 2018-11-30 20:23:43 UTC (rev 12124)
@@ -294,7 +294,8 @@
mac_netinet_icmp_reply(n, m);
#endif
icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN);
- m_align(m, ICMP_MINLEN + icmplen);
+ m_align(m, sizeof(struct ip) + ICMP_MINLEN + icmplen);
+ m->m_data += sizeof(struct ip);
m->m_len = ICMP_MINLEN + icmplen;
/* XXX MRT make the outgoing packet use the same FIB
@@ -336,6 +337,8 @@
* reply should bypass as well.
*/
m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
+ KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ip),
+ ("insufficient space for ip header"));
m->m_data -= sizeof(struct ip);
m->m_len += sizeof(struct ip);
m->m_pkthdr.len = m->m_len;
More information about the Midnightbsd-cvs
mailing list