From nobody Tue Aug 1 20:04:20 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFmKK4rQ2z4pnrP; Tue, 1 Aug 2023 20:04:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFmKJ4CXcz3GN8; Tue, 1 Aug 2023 20:04:20 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690920260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S/9x9AGrWU57iSXJsnAokBi8Hxz7i7qPM3rcJuawnQI=; b=nOHBAcD2vimYkm3KZYfUGoJNgRx/wQKFrXJRlPZDWxE2fYsZbWi3tkvdCKIylwgWhWaNUT hmq/ASBTHHhGLZrQea42kPYsjSqRk/Yn6EwOahtkCWGk4Yw0R02ibDeIIe72cCiqnCaTpu 4dkqYuO4vDG8HxI0AxiXzcoT4K5JrYV0+2uETgfG8jwxrk2USYJRoPAlUb6KqF9LrGo4u1 8MYYyR9v3IOATGo3bds7AiEIu0IHs6nOAgxeX6A9pWz4m1uBuxK31FO6mhfgekrRLXV+K/ 3FBtqaYWi+toq4vg+B0L603FHMgWYBKlV85jOP6QwTlo5l1MFWHU+JPSMb7jDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690920260; a=rsa-sha256; cv=none; b=Zn+wYNc0WQUs0+4Khf1Gdd5eTqTUvHHkoSABBYjEFFDA2mLs1l3pEeP/DphO0xmGXdCPQ6 kRZVHtXIbsxFl48kfHwY0knKHowcSFxMy0OmZ3U/bAHtr4M1V0LHe1C5dB2kGIPLi78s+S h2cBmmhInDx443GeeBaiG3RloowV/v9lHyfYOLdi7kL1ypehAgsV5qBJPfhZMHQFZJfakC iI9To08RZRdIRn+jy3nX6n5VDumTm1PMSUhDbj87MxFfa6U07YUbRNtz+HextdxLxR/pxN 2j5Tmt9NEOpRLAQSrJu7J1+07aSm9r1EL9WS1HeXHCwpxsTNfC5TmVN8gQ/i2g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690920260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=S/9x9AGrWU57iSXJsnAokBi8Hxz7i7qPM3rcJuawnQI=; b=tRYAPLJ3skYGJJbo53VJUdtFNQgTBdLd7EnrIoBMcBTT98FR9P2sLwDp3BcdncYj03B0jV f6MZP1+kf9z//RhwKDhh0qbyCxBIS9j0PxG8dpLJJ+HCKKaNOOaKAIgYlcBFYHre1nLNuR 3clEvzeJU4qwSYlTQYiMq7AUvRCaI46RpcWxhfABp1Snv3v2/wasFF8NDrCJNS11/Rl3O9 +fdM1O6yuJ2KZuI7j00+F7/5qAMD6nvqSH9XTLfIW463U7MDF2BeBTFrkeCYEevmp8BWca odipEzfR4X9RZVrFM5i3dm/SgePNrsrXF7fKhnxxKYTZvPJjWCFIEE+bdpAt8w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RFmKJ3160zr1W; Tue, 1 Aug 2023 20:04:20 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 371K4Kn6013086; Tue, 1 Aug 2023 20:04:20 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 371K4Kba013085; Tue, 1 Aug 2023 20:04:20 GMT (envelope-from git) Date: Tue, 1 Aug 2023 20:04:20 GMT Message-Id: <202308012004.371K4Kba013085@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: da38eaca4a22 - releng/13.2 - frag6: Avoid a possible integer overflow in fragment handling List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.2 X-Git-Reftype: branch X-Git-Commit: da38eaca4a22bc8ab65df825c910adbf02536873 Auto-Submitted: auto-generated The branch releng/13.2 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=da38eaca4a22bc8ab65df825c910adbf02536873 commit da38eaca4a22bc8ab65df825c910adbf02536873 Author: Jonathan T. Looney AuthorDate: 2023-08-01 14:58:34 +0000 Commit: Mark Johnston CommitDate: 2023-08-01 19:51:27 +0000 frag6: Avoid a possible integer overflow in fragment handling Reviewed by: kp, markj, bz Approved by: so Security: FreeBSD-SA-23:06.ipv6 Security: CVE-2023-3107 (cherry picked from commit ff3d1a3f9d71e706f320f51bae258e4e1a51b388) (cherry picked from commit 9515f04fe3b12b9e6ef6c802b647dd4cbdba621b) --- sys/netinet6/frag6.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index e0857d3af3e8..023470b20033 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -806,6 +806,11 @@ postinsert: /* Adjust offset to point where the original next header starts. */ offset = ip6af->ip6af_offset - sizeof(struct ip6_frag); free(ip6af, M_FRAG6); + if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) > + IPV6_MAXPACKET) { + frag6_freef(q6, bucket); + goto dropfrag; + } ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr)); if (q6->ip6q_ecn == IPTOS_ECN_CE)