Date: Tue, 03 Sep 2019 14:07:30 -0000 From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346402 - head/sys/netinet6 Message-ID: <201904191728.x3JHSSR4030566@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Fri Apr 19 17:28:28 2019 New Revision: 346402 URL: https://svnweb.freebsd.org/changeset/base/346402 Log: When a checksum has to be computed for a received IPv6 packet because it is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset. Reported by: syzbot+6295fcc5a8aced81d599@syzkaller.appspotmail.com Reviewed by: bz@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19968 Modified: head/sys/netinet6/raw_ip6.c Modified: head/sys/netinet6/raw_ip6.c ============================================================================== --- head/sys/netinet6/raw_ip6.c Fri Apr 19 17:21:35 2019 (r346401) +++ head/sys/netinet6/raw_ip6.c Fri Apr 19 17:28:28 2019 (r346402) @@ -239,7 +239,8 @@ rip6_input(struct mbuf **mp, int *offp, int proto) } if (in6p->in6p_cksum != -1) { RIP6STAT_INC(rip6s_isum); - if (in6_cksum(m, proto, *offp, + if (m->m_pkthdr.len - (*offp + in6p->in6p_cksum) < 2 || + in6_cksum(m, proto, *offp, m->m_pkthdr.len - *offp)) { RIP6STAT_INC(rip6s_badsum); goto skip_2;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904191728.x3JHSSR4030566>