diff options
| author | bz <bz@FreeBSD.org> | 2008-09-03 08:13:58 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2008-09-03 08:13:58 +0000 |
| commit | 78dd3921ca9d34364c15bb4d55a63696968c5dde (patch) | |
| tree | 7900547cbc5e5c32246d42e2a41d6fb39518c4f4 /sys/netinet6/mld6.c | |
| parent | ca999bfaa6ab9ea681a256ef5a391596759c5598 (diff) | |
| download | FreeBSD-src-78dd3921ca9d34364c15bb4d55a63696968c5dde.zip FreeBSD-src-78dd3921ca9d34364c15bb4d55a63696968c5dde.tar.gz | |
Fix a bug, when a specially crafted ICMPV6 MLD packet could lead
to an integer divide by zero panic in the kernel, if the kernel was
run with hz<1000.
Neither i386, pc98, amd64 or sparc64 are affected in the currently
supported branches and default configuration.
Submitted by: Miikka Saukko, Ossi Herrala and Jukka Taimisto from
the CROSS project at Codenomicon Ltd. via CERT-FI.
Reviewed by: bz, rwatson
Security: CVE-2008-2464
MFC after: 8 hours
Diffstat (limited to 'sys/netinet6/mld6.c')
| -rw-r--r-- | sys/netinet6/mld6.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/netinet6/mld6.c b/sys/netinet6/mld6.c index 661724f..1216d95 100644 --- a/sys/netinet6/mld6.c +++ b/sys/netinet6/mld6.c @@ -275,7 +275,7 @@ mld6_input(struct mbuf *m, int off) struct in6_addr mld_addr, all_in6; struct in6_ifaddr *ia; struct ifmultiaddr *ifma; - int timer; /* timer value in the MLD query header */ + u_long timer; /* timer value in the MLD query header */ #ifndef PULLDOWN_TEST IP6_EXTHDR_CHECK(m, off, sizeof(*mldh),); @@ -391,9 +391,9 @@ mld6_input(struct mbuf *m, int off) in6m->in6m_state = MLD_IREPORTEDLAST; } else if (in6m->in6m_timer == IN6M_TIMER_UNDEF || - mld_timerresid(in6m) > (u_long)timer) { - in6m->in6m_timer = arc4random() % - (int)((long)(timer * hz) / 1000); + mld_timerresid(in6m) > timer) { + in6m->in6m_timer = + 1 + (arc4random() % timer) * hz / 1000; mld_starttimer(in6m); } } |
