Date: Tue, 27 Nov 2018 19:43:16 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r341089 - releng/11.2/sys/netinet Message-ID: <201811271943.wARJhGH5037618@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Tue Nov 27 19:43:16 2018 New Revision: 341089 URL: https://svnweb.freebsd.org/changeset/base/341089 Log: Fix ICMP buffer underwrite. [EN-18:13.icmp] Approved by: so Security: FreeBSD-EN-18:13.icmp Security: CVE-2018-17156 Modified: releng/11.2/sys/netinet/ip_icmp.c Modified: releng/11.2/sys/netinet/ip_icmp.c ============================================================================== --- releng/11.2/sys/netinet/ip_icmp.c Tue Nov 27 19:42:16 2018 (r341088) +++ releng/11.2/sys/netinet/ip_icmp.c Tue Nov 27 19:43:16 2018 (r341089) @@ -310,7 +310,8 @@ stdreply: icmpelen = max(8, min(V_icmp_quotelen, ntohs #endif icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN); - m_align(m, ICMP_MINLEN + icmplen); + m_align(m, sizeof(struct ip) + ICMP_MINLEN + icmplen); + m->m_data += sizeof(struct ip); m->m_len = ICMP_MINLEN + icmplen; /* XXX MRT make the outgoing packet use the same FIB @@ -352,6 +353,8 @@ stdreply: icmpelen = max(8, min(V_icmp_quotelen, ntohs * reply should bypass as well. */ m->m_flags |= n->m_flags & M_SKIP_FIREWALL; + KASSERT(M_LEADINGSPACE(m) >= sizeof(struct ip), + ("insufficient space for ip header")); m->m_data -= sizeof(struct ip); m->m_len += sizeof(struct ip); m->m_pkthdr.len = m->m_len;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811271943.wARJhGH5037618>