Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Apr 2019 17:28:28 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346402 - head/sys/netinet6
Message-ID:  <201904191728.x3JHSSR4030566@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tuexen
Date: Fri Apr 19 17:28:28 2019
New Revision: 346402
URL: https://svnweb.freebsd.org/changeset/base/346402

Log:
  When a checksum has to be computed for a received IPv6 packet because it
  is requested by the application using the IPPROTO_IPV6 level socket option
  IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough
  bytes to contain the checksum at the specified offset.
  
  Reported by:		syzbot+6295fcc5a8aced81d599@syzkaller.appspotmail.com
  Reviewed by:		bz@
  Sponsored by:		Netflix, Inc.
  Differential Revision:	https://reviews.freebsd.org/D19968

Modified:
  head/sys/netinet6/raw_ip6.c

Modified: head/sys/netinet6/raw_ip6.c
==============================================================================
--- head/sys/netinet6/raw_ip6.c	Fri Apr 19 17:21:35 2019	(r346401)
+++ head/sys/netinet6/raw_ip6.c	Fri Apr 19 17:28:28 2019	(r346402)
@@ -239,7 +239,8 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
 		}
 		if (in6p->in6p_cksum != -1) {
 			RIP6STAT_INC(rip6s_isum);
-			if (in6_cksum(m, proto, *offp,
+			if (m->m_pkthdr.len - (*offp + in6p->in6p_cksum) < 2 ||
+			    in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				RIP6STAT_INC(rip6s_badsum);
 				goto skip_2;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904191728.x3JHSSR4030566>