Date: Fri, 17 Oct 2014 23:49:02 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 194439] New: mld_v1_transmit_report corrupts memory Message-ID: <bug-194439-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194439 Bug ID: 194439 Summary: mld_v1_transmit_report corrupts memory Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: Needs Triage Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: Herbie.Robinson@stratus.com The "MH_ALIGN(mh, sizeof(struct ip6_hdr));" in mld_v1_transmit_report should be "MH_ALIGN(mh, sizeof(struct ip6_hdr)+sizeof(struct mld_hdr));". The current code will always walk off the end of the buffer and corrupt whatever memory follows. It's a good thing that mldv2 is widely supported :-) -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194439-8>