When a checksum has to be computed for a received IPv6 packet because it

is requested by the application using the IPPROTO_IPV6 level socket option IPV6_CHECKSUM on a raw socket, ensure that the packet contains enough bytes to contain the checksum at the specified offset. Reported by: syzbot+6295fcc5a8aced81d599@syzkaller.appspotmail.com Reviewed by: bz@ Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19968
svn path=/head/; revision=346402
2019-04-19 17:28:28 +00:00 · 2019-04-19 17:28:28 +00:00 · 70a0f3dcdc · 2020-12-20 02:59:44 +00:00
commit 70a0f3dcdc
parent ae7c65b171
1 changed files with 2 additions and 1 deletions
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@ -239,7 +239,8 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
 		}
 		if (in6p->in6p_cksum != -1) {
 			RIP6STAT_INC(rip6s_isum);
-			if (in6_cksum(m, proto, *offp,
+			if (m->m_pkthdr.len - (*offp + in6p->in6p_cksum) < 2 ||
+			    in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				RIP6STAT_INC(rip6s_badsum);
 				goto skip_2;