Avoid a buffer overwrite in rip6_output() when computing the checksum

as requested by the user via the IPPROTO_IPV6 level socket option IPV6_CHECKSUM. The check if there are enough bytes in the packet to store the checksum at the requested offset was wrong by 1. Reviewed by: bz@ MFC after: 1 week Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D19967
svn path=/head/; revision=346401
2019-04-19 17:21:35 +00:00 · 2019-04-19 17:21:35 +00:00 · ae7c65b171 · 2020-12-20 02:59:44 +00:00
commit ae7c65b171
parent 2f041b74b9
1 changed files with 1 additions and 1 deletions
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@ -495,7 +495,7 @@ rip6_output(struct mbuf *m, struct socket *so, ...)
 			off = offsetof(struct icmp6_hdr, icmp6_cksum);
 		else
 			off = in6p->in6p_cksum;
-		if (plen < off + 1) {
+		if (plen < off + 2) {
 			error = EINVAL;
 			goto bad;
 		}