[Midnightbsd-cvs] [MidnightBSD/src] a5119e: Due to improper mbuf handling in the kernel, a use...

[Lucas Holt]

  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: a5119e9fdd14f1e394787b2ca4338a56b725afc8
      https://github.com/MidnightBSD/src/commit/a5119e9fdd14f1e394787b2ca4338a56b725afc8
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M sys/netinet6/ip6_input.c

  Log Message:
  -----------
  Due to improper mbuf handling in the kernel, a use-after-free bug might be
triggered by sending IPv6 Hop-by-Hop options over the loopback interface.


  Commit: 082945d05c9ebdc400edb78cb62e23df1d5dbdbd
      https://github.com/MidnightBSD/src/commit/082945d05c9ebdc400edb78cb62e23df1d5dbdbd
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M sbin/dhclient/options.c
    M sys/netinet/sctp_input.c
    M sys/netinet/sctp_output.c
    M sys/netinet/sctp_pcb.c
    M sys/netinet/sctp_structs.h
    M sys/netinet/sctputil.c
    M sys/netinet/sctputil.h

  Log Message:
  -----------
  dhclient:
When parsing option 119 data, dhclient(8) computes the uncompressed domain
list length so that it can allocate an appropriately sized buffer to store
the uncompressed list.  The code to compute the length failed to handle
certain malformed input, resulting in a heap overflow when the uncompressed
list is copied into in inadequately sized buffer.

sctp:

Due to improper handling in the kernel, a use-after-free bug can be triggered
by sending large user messages from multiple threads on the same socket.


Compare: https://github.com/MidnightBSD/src/compare/ba0e51ab63fc...082945d05c9e