Validate IPv6 socket options more carefully to avoid a panic.

PR: kern/61513 Reviewed by: cperciva, nectar
2004-03-26 19:52:18 +00:00 · 2004-03-26 19:52:18 +00:00 · a5d1aae31a
commit a5d1aae31a
parent 3d7fb10b5f
2 changed files with 38 additions and 1 deletions
--- a/sys/netinet/ip6.h
+++ b/sys/netinet/ip6.h
@ -213,6 +213,7 @@ struct ip6_frag {

 #define IPV6_MMTU	1280	/* minimal MTU and reassembly. 1024 + 256 */
 #define IPV6_MAXPACKET	65535	/* ip6 max packet size without Jumbo payload*/
+#define IPV6_MAXOPTHDR	2048	/* max option header size, 256 64-bit words */

 #ifdef _KERNEL
 /*
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@ -1780,12 +1780,48 @@ do { \
 					break;
 				}

-				optbuf = sopt->sopt_val;
+				switch (optname) {
+				case IPV6_HOPOPTS:
+				case IPV6_DSTOPTS:
+				case IPV6_RTHDRDSTOPTS:
+				case IPV6_NEXTHOP:
+					if (!privileged)
+						error = EPERM;
+					break;
+				}
+				if (error)
+					break;
+
+				switch (optname) {
+				case IPV6_PKTINFO:
+					optlen = sizeof(struct in6_pktinfo);
+					break;
+				case IPV6_NEXTHOP:
+					optlen = SOCK_MAXADDRLEN;
+					break;
+				default:
+					optlen = IPV6_MAXOPTHDR;
+					break;
+				}
+				if (sopt->sopt_valsize > optlen) {
+					error = EINVAL;
+					break;
+				}
+
 				optlen = sopt->sopt_valsize;
+				optbuf = malloc(optlen, M_TEMP, M_WAITOK);
+				error = sooptcopyin(sopt, optbuf, optlen,
+				    optlen);
+				if (error) {
+					free(optbuf, M_TEMP);
+					break;
+				}
+
 				optp = &in6p->in6p_outputopts;
 				error = ip6_pcbopt(optname,
 						   optbuf, optlen,
 						   optp, privileged, uproto);
+				free(optbuf, M_TEMP);
 				break;
 			}
 #undef OPTSET