mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-23 11:18:54 +00:00
bfef7ed45c
an IP header with ip_len in network byte order. For certain values of ip_len, this could cause icmp_error() to write beyond the end of an mbuf, causing mbuf free-list corruption. This problem was observed during generation of ICMP redirects. We now make quite sure that the copy of the IP header kept for icmp_error() is stored in a non-shared mbuf header so that it will not be modified by ip_output(). Also: - Calculate the correct number of bytes that need to be retained for icmp_error(), instead of assuming that 64 is enough (it's not). - In icmp_error(), use m_copydata instead of bcopy() to copy from the supplied mbuf chain, in case the first 8 bytes of IP payload are not stored directly after the IP header. - Sanity-check ip_len in icmp_error(), and panic if it is less than sizeof(struct ip). Incoming packets with bad ip_len values are discarded in ip_input(), so this should only be triggered by bugs in the code, not by bad packets. This patch results from code and suggestions from Ruslan, Bosko, Jonathan Lemon and Matt Dillon, with important testing by Mike Tancsa, who could reproduce this problem at will. Reported by: Mike Tancsa <mike@sentex.net> Reviewed by: ru, bmilekic, jlemon, dillon |
||
---|---|---|
.. | ||
libalias | ||
accf_data.c | ||
accf_http.c | ||
fil.c | ||
icmp6.h | ||
icmp_var.h | ||
if_atm.c | ||
if_atm.h | ||
if_ether.c | ||
if_ether.h | ||
if_fddi.h | ||
igmp_var.h | ||
igmp.c | ||
igmp.h | ||
in_cksum.c | ||
in_gif.c | ||
in_gif.h | ||
in_hostcache.c | ||
in_hostcache.h | ||
in_pcb.c | ||
in_pcb.h | ||
in_proto.c | ||
in_rmx.c | ||
in_systm.h | ||
in_var.h | ||
in.c | ||
in.h | ||
ip6.h | ||
ip_auth.c | ||
ip_auth.h | ||
ip_compat.h | ||
ip_divert.c | ||
ip_dummynet.c | ||
ip_dummynet.h | ||
ip_ecn.c | ||
ip_ecn.h | ||
ip_encap.c | ||
ip_encap.h | ||
ip_fil.c | ||
ip_fil.h | ||
ip_flow.c | ||
ip_flow.h | ||
ip_frag.c | ||
ip_frag.h | ||
ip_ftp_pxy.c | ||
ip_fw.c | ||
ip_fw.h | ||
ip_icmp.c | ||
ip_icmp.h | ||
ip_input.c | ||
ip_log.c | ||
ip_mroute.c | ||
ip_mroute.h | ||
ip_nat.c | ||
ip_nat.h | ||
ip_output.c | ||
ip_proxy.c | ||
ip_proxy.h | ||
ip_raudio_pxy.c | ||
ip_rcmd_pxy.c | ||
ip_state.c | ||
ip_state.h | ||
ip_var.h | ||
ip.h | ||
ipl.h | ||
ipprotosw.h | ||
mlfk_ipl.c | ||
raw_ip.c | ||
tcp_debug.c | ||
tcp_debug.h | ||
tcp_fsm.h | ||
tcp_input.c | ||
tcp_output.c | ||
tcp_reass.c | ||
tcp_seq.h | ||
tcp_subr.c | ||
tcp_timer.c | ||
tcp_timer.h | ||
tcp_timewait.c | ||
tcp_usrreq.c | ||
tcp_var.h | ||
tcp.h | ||
tcpip.h | ||
udp_usrreq.c | ||
udp_var.h | ||
udp.h |