diff options
| author |   mpi <mpi@openbsd.org> | 2020-05-06 07:08:53 +0000 |
|---|---|---|
| committer | mpi <mpi@openbsd.org> | 2020-05-06 07:08:53 +0000 |
| commit | 574b3a4fa98da815e768e03fe0bc92c34e9a638c (patch) | |
| tree | b5444751a02a1650e47b11c482d81411d6bbf4a6 | |
| parent | Purge the ic_bss->ni_savedq mbuf queue when a wireless interface goes down. (diff) | |
| download | wireguard-openbsd-574b3a4fa98da815e768e03fe0bc92c34e9a638c.tar.xz wireguard-openbsd-574b3a4fa98da815e768e03fe0bc92c34e9a638c.zip | |
Do sanity checks in ip6_pullexthdr() preventing a panic in m_copydata(9).
An invalid/corrupted hop6 option in rip6_input()/ip6_savecontrol() could
lead m_copydata(9)s' check to trigger a panic.
Fix from maxv@NetBSD where the problem was also reported by syzkaller.
Reported-by: syzbot+3b07b3511b4ceb8bf1e2@syzkaller.appspotmail.com
Reported-by: syzbot+7ee0eb2691d507fcad2e@syzkaller.appspotmail.com
ok sashan@, dlg@, claudio@, deraadt@
| -rw-r--r-- | sys/netinet6/ip6_input.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index e8d2e53fdd6..e33d0b9c715 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.225 2020/04/12 11:56:53 mpi Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.226 2020/05/06 07:08:53 mpi Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -1142,12 +1142,18 @@ ip6_pullexthdr(struct mbuf *m, size_t off, int nxt) } #endif + if (off + sizeof(ip6e) > m->m_pkthdr.len) + return NULL; + m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e); if (nxt == IPPROTO_AH) elen = (ip6e.ip6e_len + 2) << 2; else elen = (ip6e.ip6e_len + 1) << 3; + if (off + elen > m->m_pkthdr.len) + return NULL; + MGET(n, M_DONTWAIT, MT_DATA); if (n && elen >= MLEN) { MCLGET(n, M_DONTWAIT); |