Date: Thu, 28 Sep 2017 22:15:53 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 222670] Reinitialize mtod derived protocol header pointers in icmp_error after calling m_pullup Message-ID: <bug-222670-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222670 Bug ID: 222670 Summary: Reinitialize mtod derived protocol header pointers in icmp_error after calling m_pullup Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: prabhakar.lakhera@gmail.com Header pointers needs to be reinitialized in icmp_error after m_pullup call= s: Date: Thu Sep 28 15:06:28 2017 -0700 Reinitialize mtod derived protocol header pointers in icmp_error after calling m_pullup diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 5983b3386af..4f466236864 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -237,6 +237,12 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t dest, int mtu) if (n->m_len < oiphlen + sizeof(struct tcphdr) && ((n =3D m_pullup(n, oiphlen + sizeof(struct tcphdr))) = =3D=3D NULL)) goto freeit; + + /* + * Reinitialize pointers derived from mbuf data pointer, + * after calling m_pullup + */ + oip =3D mtod(n, struct ip *); th =3D (struct tcphdr *)((caddr_t)oip + oiphlen); tcphlen =3D th->th_off << 2; if (tcphlen < sizeof(struct tcphdr)) @@ -248,6 +254,14 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t dest, int mtu) if (n->m_len < oiphlen + tcphlen &&=20 ((n =3D m_pullup(n, oiphlen + tcphlen)) =3D=3D NULL)) goto freeit; + + /* + * Reinitialize pointers derived from mbuf data pointer, + * after calling m_pullup + */ + oip =3D mtod(n, struct ip *); + th =3D (struct tcphdr *)((caddr_t)oip + oiphlen); + icmpelen =3D max(tcphlen, min(V_icmp_quotelen, ntohs(oip->ip_len) - oiphlen)); } else if (oip->ip_p =3D=3D IPPROTO_SCTP) { @@ -262,6 +276,12 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t dest, int mtu) if (n->m_len < oiphlen + sizeof(struct sctphdr) && (n =3D m_pullup(n, oiphlen + sizeof(struct sctphdr))) = =3D=3D NULL) goto freeit; + + /* + * Reinitialize pointers derived from mbuf data pointer, + * after calling m_pullup + */ + oip =3D mtod(n, struct ip *); icmpelen =3D max(sizeof(struct sctphdr), min(V_icmp_quotelen, ntohs(oip->ip_len) - oiphlen)); sh =3D (struct sctphdr *)((caddr_t)oip + oiphlen); @@ -272,7 +292,15 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t dest, int mtu) if (n->m_len < oiphlen + sizeof(struct sctphdr) + 8= && (n =3D m_pullup(n, oiphlen + sizeof(struct sctp= hdr) + 8)) =3D=3D NULL) goto freeit; + + /* + * Reinitialize pointers derived from mbuf data pointer, + * after calling m_pullup + */ + oip =3D mtod(n, struct ip *); + sh =3D (struct sctphdr *)((caddr_t)oip + oiphlen); ch =3D (struct sctp_chunkhdr *)(sh + 1); + if (ch->chunk_type =3D=3D SCTP_INITIATION) { icmpelen =3D max(sizeof(struct sctphdr) + 8, min(V_icmp_quotelen, ntohs(oip->ip_len)= - oiphlen)); --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222670-8>