d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ensure that IP fragments do not extend beyond IP_MAXPACKET.

Browse Source 
Such fragments are obviously invalid, and when processed may end up
violating the sort order (by offset) of fragments of a given packet.
This doesn't appear to be exploitable, however.

Reviewed by:	emaste
Discussed with:	jtl
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D17914
This commit is contained in:
Mark Johnston 2018-11-10 03:00:36 +00:00
parent 266b2aa146
commit 86af1d0241
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sys/netinet/ip_reass.c
View File

@ -227,6 +227,16 @@ ip_reass(struct mbuf *m)
m->m_flags &= ~M_IP_FRAG;
ip->ip_off = htons(ntohs(ip->ip_off) << 3);
/*
* Make sure the fragment lies within a packet of valid size.
*/
if (ntohs(ip->ip_len) + ntohs(ip->ip_off) > IP_MAXPACKET) {
IPSTAT_INC(ips_toolong);
IPSTAT_INC(ips_fragdropped);
m_freem(m);
return (NULL);
}
/*
* Attempt reassembly; if it succeeds, proceed.
* ip_reass() will return a different mbuf.