freebsd-dev/sys/netinet6
Gleb Smirnoff 479795819a Verify the packet length in sctp6_input().
The sctp6_ctlinput() function does not properly check the length of the packet
it receives from the ICMP6 input routine. This means that an attacker can craft
a packet that will cause a kernel panic.

When the kernel receives an ICMP6 error message with one of the types/codes
it handles, it calls icmp6_notify_error() to deliver it to the upper-level
protocol. icmp6_notify_error() cycles through the extension headers (if any)
to find the protocol number of the first non-extension header. It does NOT
verify the length of the non-extension header.

It passes information about the packet (including the actual packet) to the
upper-level protocol's pr_ctlinput function. In the case of SCTP for IPv6,
icmp6_notify_error() calls sctp6_ctlinput().

sctp6_ctlinput() assumes that the incoming packet contains a sufficiently-long
SCTP header and calls m_copydata() to extract a copy of that header. In turn,
m_copydata() assumes that the caller has already verified that the offset and
length parameters are correct. If they are incorrect, it will dereference a
NULL pointer and cause a kernel panic.

In short, no one is sufficiently verifying the input, and the result is a
kernel panic.

Submitted by:	jtl
Security:	SA-16:01.sctp
2016-01-14 10:11:10 +00:00
..
dest6.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
frag6.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
icmp6.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
icmp6.h
in6_cksum.c Fix the checksum computation for UDPLite/IPv6. This requires the 2014-10-02 10:32:24 +00:00
in6_fib.c Bring RADIX_MPATH support to new routing KPI to ease migration. 2016-01-11 08:45:28 +00:00
in6_fib.h Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
in6_gif.c Use correct lookup key for gif route lookups. 2015-12-09 22:09:33 +00:00
in6_ifattach.c Remove IN6_IFF_NOPFX. This flag was no longer used. 2015-09-10 06:08:42 +00:00
in6_ifattach.h
in6_mcast.c Make in_arpinput(), inp_lookup_mcast_ifp(), icmp_reflect(), 2015-12-09 11:14:27 +00:00
in6_pcb.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
in6_pcb.h Make in6_pcblookup_hash_locked and in6_pcbladdr static. 2014-09-10 13:17:35 +00:00
in6_pcbgroup.c Refactor / restructure the RSS code into generic, IPv4 and IPv6 specific 2015-01-18 18:06:40 +00:00
in6_proto.c Renove faith(4) and faithd(8) from base. It looks like industry 2014-11-09 21:33:01 +00:00
in6_rmx.c Remove prefix check from in6_addroute(). 2016-01-09 11:41:37 +00:00
in6_rss.c [netinet6]: Create a new IPv6 netisr which expects the frames to have been verified. 2015-11-06 23:07:43 +00:00
in6_rss.h Implement RSS hashing/re-hashing for IPv6 ingress packets. 2015-08-29 07:14:29 +00:00
in6_src.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
in6_var.h Revert r292275 & r292379 2015-12-17 14:41:30 +00:00
in6.c Implement interface link header precomputation API. 2015-12-31 05:03:27 +00:00
in6.h Handle IPV6_PATHMTU option by spliting ip6_getpmtu_ctl() from ip6_getpmtu(). 2016-01-03 09:54:03 +00:00
ip6_ecn.h
ip6_forward.c Bring back the ability of passing cached route via nd6_output_ifp(). 2015-11-15 16:02:22 +00:00
ip6_gre.c Extern declarations in C files loses compile-time checking that 2014-12-25 21:32:37 +00:00
ip6_id.c Provide includes that are needed in these files, and before were read 2013-10-26 18:18:50 +00:00
ip6_input.c Overhaul if_enc(4) and make it loadable in run-time. 2015-11-25 07:31:59 +00:00
ip6_ipsec.c Take extra reference to security policy before calling crypto_dispatch(). 2015-09-30 08:16:33 +00:00
ip6_ipsec.h Remove flag/flags argument from the following functions: 2014-12-11 18:35:34 +00:00
ip6_mroute.c Simplify ip[6] simploop: 2015-08-08 15:58:35 +00:00
ip6_mroute.h o Make net.inet6.ip6.mif6table return special API structure, that doesn't 2015-04-06 22:12:18 +00:00
ip6_output.c Finish r293098: make ip6_getpmtu() and ip6_getpmtu_ctl() use new routing API 2016-01-04 18:32:24 +00:00
ip6_var.h Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
ip6.h
ip6protosw.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
mld6_var.h - Rename 'struct mld_ifinfo' into 'struct mld_ifsoftc', since it really 2015-02-19 22:37:01 +00:00
mld6.c mld_v2_dispatch_general_query() is used by mld_fasttimo_vnet() to send 2015-12-01 11:17:41 +00:00
mld6.h
nd6_nbr.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
nd6_rtr.c Add new rt_foreach_fib_walk_del() function for deleting route entries 2015-11-30 05:51:14 +00:00
nd6.c Add rib_lookup_info() to provide API for retrieving individual route 2016-01-04 15:03:20 +00:00
nd6.h Implement interface link header precomputation API. 2015-12-31 05:03:27 +00:00
pim6_var.h Remove more constants related to static sysctl nodes. The MAXID constants 2014-02-25 18:44:33 +00:00
pim6.h
raw_ip6.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
raw_ip6.h Migrate structs ip6stat, icmp6stat and rip6stat to PCPU counters. 2013-07-09 09:54:54 +00:00
route6.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
scope6_var.h Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
scope6.c Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
sctp6_usrreq.c Verify the packet length in sctp6_input(). 2016-01-14 10:11:10 +00:00
sctp6_var.h
send.c Free mbuf in case of error. 2013-12-17 10:53:17 +00:00
send.h
tcp6_var.h
udp6_usrreq.c Split in6_selectsrc() into in6_selectsrc_addr() and in6_selectsrc_socket(). 2016-01-10 13:40:29 +00:00
udp6_var.h Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks. 2014-04-07 01:53:03 +00:00