Date: Tue, 1 Aug 2023 20:06:26 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 2f6b510ea2a3 - releng/12.4 - frag6: Avoid a possible integer overflow in fragment handling Message-ID: <202308012006.371K6Qvw014113@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/12.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=2f6b510ea2a3a81dbf929892fe552386ed1c2262 commit 2f6b510ea2a3a81dbf929892fe552386ed1c2262 Author: Jonathan T. Looney <jtl@FreeBSD.org> AuthorDate: 2023-08-01 14:58:34 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-08-01 20:05:42 +0000 frag6: Avoid a possible integer overflow in fragment handling Reviewed by: kp, markj, bz Approved by: so Security: FreeBSD-SA-23:06.ipv6 Security: CVE-2023-3107 (cherry picked from commit ff3d1a3f9d71e706f320f51bae258e4e1a51b388) (cherry picked from commit 234ef73f5a33959ab082e1013dcc4f82864cb10c) --- sys/netinet6/frag6.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index fe9fde6bcb25..c6d42a9eaf49 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -816,6 +816,11 @@ postinsert: /* Adjust offset to point where the original next header starts. */ offset = ip6af->ip6af_offset - sizeof(struct ip6_frag); free(ip6af, M_FRAG6); + if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) > + IPV6_MAXPACKET) { + frag6_freef(q6, bucket); + goto dropfrag; + } ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr)); if (q6->ip6q_ecn == IPTOS_ECN_CE)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308012006.371K6Qvw014113>