HomeFreeBSD
Diffusion FreeBSD src repository - subversion rS341258

MFC r340260: Avoid buffer underwrite in icmp_error
rS341258
Actions

Description

MFC r340260: Avoid buffer underwrite in icmp_error

icmp_error allocates either an mbuf (with pkthdr) or a cluster depending
on the size of data to be quoted in the ICMP reply, but the calculation
failed to account for the additional padding that m_align may apply.

Include the ip header in the size passed to m_align. On 64-bit archs
this will have the net effect of moving everything 4 bytes later in the
mbuf or cluster. This will result in slightly pessimal alignment for
the ICMP data copy.

Also add an assertion that we do not move m_data before the beginning of
the mbuf or cluster.

Reported by: A reddit user
Security: CVE-2018-17156
Sponsored by: The FreeBSD Foundation

Details

Provenance
emasteAuthored on
Parents
rS341257: Replace hand-crafted naive byte-by-byte zero block detection routine
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
stable/
10/
sys/
netinet/

rS341258

View Options

stable/10/

Loading...
View Options

stable/10/sys/netinet/ip_icmp.c

Loading...