d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode.

Browse Source 
By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE
opcode has array of bit masks to store corresponding ICMPv6 types.
An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable
length and during opcode filling it can modify memory that will be used
by O_ICMP6TYPE opcode. Without explicit initialization this leads to
creation of wrong opcode.

Reported by:	Boris N. Lytochkin
Obtained from:	Yandex LLC
MFC after:	3 days
This commit is contained in:
Andrey V. Elsukov 2019-10-15 09:50:02 +00:00
parent abc23d5932
commit 51b1593065
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=353545
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sbin/ipfw/ipv6.c
View File

@ -143,6 +143,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cblen)
uint8_t type;
CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
memset(cmd, 0, sizeof(*cmd));
while (*av) {
if (*av == ',')
av++;