Date: Mon, 16 Apr 2007 22:25:59 +0200 From: Max Laier <max@love2party.net> To: Mike Makonnen <mtm@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: ping6 extension headers bounds checking Message-ID: <200704162226.08931.max@love2party.net> In-Reply-To: <20070416101609.GA2137@rogue.navcom.lan> References: <20070416101609.GA2137@rogue.navcom.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6362414.9bXbKn86yi Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 16 April 2007 12:16, Mike Makonnen wrote: > Hello folks, > > Please review the attached patch for ping6(8) to fix PR kern/99425 > > You can attach extra headers to the ping6 packet by specifying, for > example, extra routing information. This information is sent as > control data with sendmsg(2) and when you get a reply is received > as control data from recvmsg(2). > > In a nutshell, there are 2 problems: > 1. The buffer supplied to recvmsg(2) to hold control (ancillary) > data is, in some cases, too small to hold all the extra headers. > 2. In verbose mode, when printing out the control data, it doesn't > check to make sure that the stated length of the headers is > within the bounds of the buffer. > > To address this I increased the buffer supplied to recvmsg(2) to the > minimum required by rfc 3542 (10420 bytes) and I modified the > functions that print the extra header information to print a > warning if the buffer is too small and to print only as much > information as contained in the buffer. I think it'd be better to supply the print functions with the rest of the=20 bufferlen instead of an offset. This way only the caller has to know the=20 size of the buffer - btw, do we get a result back i.e. how much buffer=20 was used. In addition you could check if the offset in the for-loop of=20 the caller is within bounds, before even attempting to call further. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6362414.9bXbKn86yi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGI9vgXyyEoT62BG0RAmj+AJ9ZGpLgiwJxCUV5XIdLK6O2Jc9c5wCeIcEM qJRWRvAG4ca23DcrLnY/93g= =QBzG -----END PGP SIGNATURE----- --nextPart6362414.9bXbKn86yi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704162226.08931.max>