Date: Tue, 20 Aug 2019 17:49:33 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r351259 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern Message-ID: <201908201749.x7KHnXdU061205@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon Date: Tue Aug 20 17:49:33 2019 New Revision: 351259 URL: https://svnweb.freebsd.org/changeset/base/351259 Log: Fix IPv6 remote denial of service. Approved by: so Security: FreeBSD-SA-19:22.mbuf Security: CVE-2019-5611 Modified: releng/11.2/sys/kern/uipc_mbuf2.c releng/11.3/sys/kern/uipc_mbuf2.c releng/12.0/sys/kern/uipc_mbuf2.c Modified: releng/11.2/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/11.2/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/11.2/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); Modified: releng/11.3/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/11.3/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/11.3/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen); Modified: releng/12.0/sys/kern/uipc_mbuf2.c ============================================================================== --- releng/12.0/sys/kern/uipc_mbuf2.c Tue Aug 20 17:46:40 2019 (r351258) +++ releng/12.0/sys/kern/uipc_mbuf2.c Tue Aug 20 17:49:33 2019 (r351259) @@ -216,7 +216,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp goto ok; } if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen - && writable) { + && writable && n->m_next->m_len >= tlen) { n->m_next->m_data -= hlen; n->m_next->m_len += hlen; bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908201749.x7KHnXdU061205>