[Midnightbsd-cvs] [MidnightBSD/src] fee655: initialize vars in ipfw

Lucas Holt noreply at github.com
Tue Dec 1 16:07:53 EST 2020 

  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: fee6552ec9d7b5526a21cdba46e81c131955258d
      https://github.com/MidnightBSD/src/commit/fee6552ec9d7b5526a21cdba46e81c131955258d
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2020-12-01 (Tue, 01 Dec 2020)

  Changed paths:
    M sbin/ipfw/dummynet.c
    M sbin/ipfw/ipfw2.c
    M sbin/ipfw/nat64lsn.c
    M sbin/ipfw/tables.c

  Log Message:
  -----------
  initialize vars in ipfw


  Commit: a25bbc3d6c9a79a64356da04516a5dce9e4cd555
      https://github.com/MidnightBSD/src/commit/a25bbc3d6c9a79a64356da04516a5dce9e4cd555
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2020-12-01 (Tue, 01 Dec 2020)

  Changed paths:
    M sys/netinet6/icmp6.c

  Log Message:
  -----------
  When an ICMPv6 error message is received, the BSD ICMPv6 stack may
extract information from the message to hand to upper-layer protocols.  As a
part of this operation, it may parse IPv6 header options from a packet
embedded in the ICMPv6 message.

The handler for a routing option caches a pointer into the packet buffer
holding the ICMPv6 message.  However, when processing subsequent options the
packet buffer may be freed, rendering the cached pointer invalid.  The
network stack may later dereference the pointer, potentially triggering a
use-after-free.

Obtained from: FreeBSD


  Commit: 364d2fc7dd0bddea9719d114cee3f1de2eea6565
      https://github.com/MidnightBSD/src/commit/364d2fc7dd0bddea9719d114cee3f1de2eea6565
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2020-12-01 (Tue, 01 Dec 2020)

  Changed paths:
    M usr.sbin/rtsold/rtsol.c

  Log Message:
  -----------
  Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.  First,
rtsold(8) failed to perform sufficient bounds checking on the extent of the
option.  In particular, it does not verify that the option does not extend
past the end of the received packet before processing its contents.  The
kernel currently ignores such malformed packets but still passes them to
userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain name labels
per an encoding specified in RFC 1035 in which the first octet of each label
contains the label's length.  rtsold(8) did not validate label lengths
correctly and could overflow the destination buffer.

Obtained from: FreeBSD


Compare: https://github.com/MidnightBSD/src/compare/54a3741785ab...364d2fc7dd0b

More information about the Midnightbsd-cvs mailing list