rip: Add missing minimum length validation in rip_output()

If the socket is configured such that the sender is expected to supply the IP header, then we need to verify that it actually did so. Reported by: syzkaller+KMSAN Reviewed by: donner MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31302
2021-07-26 16:39:18 -04:00 · 2021-07-26 16:39:18 -04:00 · ba21825202
commit ba21825202
parent accff08c2f
1 changed files with 8 additions and 1 deletions
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -523,8 +523,15 @@ rip_output(struct mbuf *m, struct socket *so, ...)
 	} else {
 		if (m->m_pkthdr.len > IP_MAXPACKET) {
 			m_freem(m);
-			return(EMSGSIZE);
+			return (EMSGSIZE);
 		}
+		if (m->m_pkthdr.len < sizeof(*ip)) {
+			m_freem(m);
+			return (EINVAL);
+		}
+		m = m_pullup(m, sizeof(*ip));
+		if (m == NULL)
+			return (ENOMEM);
 		ip = mtod(m, struct ip *);
 		hlen = ip->ip_hl << 2;
 		if (m->m_len < hlen) {