Fix a bug, when a specially crafted ICMPV6 MLD packet could lead

to an integer divide by zero panic in the kernel, if the kernel was run with hz<1000. Neither i386, pc98, amd64 or sparc64 are affected in the currently supported branches and default configuration. Submitted by: Miikka Saukko, Ossi Herrala and Jukka Taimisto from the CROSS project at Codenomicon Ltd. via CERT-FI. Reviewed by: bz, rwatson Security: CVE-2008-2464 MFC after: 8 hours
2008-09-03 08:13:58 +00:00 · 2008-09-03 08:13:58 +00:00 · bf0d5f8e16
commit bf0d5f8e16
parent 73a3a6581e
1 changed files with 4 additions and 4 deletions
--- a/sys/netinet6/mld6.c
+++ b/sys/netinet6/mld6.c
@ -275,7 +275,7 @@ mld6_input(struct mbuf *m, int off)
 	struct in6_addr mld_addr, all_in6;
 	struct in6_ifaddr *ia;
 	struct ifmultiaddr *ifma;
-	int timer;		/* timer value in the MLD query header */
+	u_long timer;		/* timer value in the MLD query header */

 #ifndef PULLDOWN_TEST
 	IP6_EXTHDR_CHECK(m, off, sizeof(*mldh),);
@ -391,9 +391,9 @@ mld6_input(struct mbuf *m, int off)
 					in6m->in6m_state = MLD_IREPORTEDLAST;
 				}
 				else if (in6m->in6m_timer == IN6M_TIMER_UNDEF ||
-				    mld_timerresid(in6m) > (u_long)timer) {
-					in6m->in6m_timer = arc4random() %
-					    (int)((long)(timer * hz) / 1000);
+				    mld_timerresid(in6m) > timer) {
+					in6m->in6m_timer =
+					   1 + (arc4random() % timer) * hz / 1000;
 					mld_starttimer(in6m);
 				}
 			}