diff options
author | andre <andre@FreeBSD.org> | 2004-09-16 18:33:39 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2004-09-16 18:33:39 +0000 |
commit | d4e3412583ae49977b559c6ec4b4c61bdd0b9baf (patch) | |
tree | 8264ebddeb25693fb6f082855b7a725de2314bde /sys/netinet | |
parent | 5b5cfb3bca2d33bc035e5065927f156a961600a0 (diff) | |
download | FreeBSD-src-d4e3412583ae49977b559c6ec4b4c61bdd0b9baf.zip FreeBSD-src-d4e3412583ae49977b559c6ec4b4c61bdd0b9baf.tar.gz |
Fix an out of bounds write during the initialization of the PF_INET protocol
family to the ip_protox[] array. The protocol number of IPPROTO_DIVERT is
larger than IPPROTO_MAX and was initializing memory beyond the array.
Catch all these kinds of errors by ignoring protocols that are higher than
IPPROTO_MAX or 0 (zero).
Add more comments ip_init().
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_input.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 4072bc76..1bc4002 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -247,14 +247,23 @@ ip_init() in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &in_ifaddrhmask); pr = pffindproto(PF_INET, IPPROTO_RAW, SOCK_RAW); if (pr == 0) - panic("ip_init"); + panic("ip_init: PF_INET not found"); + + /* Initialize the entire ip_protox[] array to IPPROTO_RAW. */ for (i = 0; i < IPPROTO_MAX; i++) ip_protox[i] = pr - inetsw; + /* + * Cycle through IP protocols and put them into the appropriate place + * in ip_protox[]. + */ for (pr = inetdomain.dom_protosw; pr < inetdomain.dom_protoswNPROTOSW; pr++) if (pr->pr_domain->dom_family == PF_INET && - pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) - ip_protox[pr->pr_protocol] = pr - inetsw; + pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) { + /* Be careful to only index valid IP protocols. */ + if (pr->pr_protocol && pr->pr_protocol < IPPROTO_MAX) + ip_protox[pr->pr_protocol] = pr - inetsw; + } /* Initialize packet filter hooks. */ inet_pfil_hook.ph_type = PFIL_TYPE_AF; @@ -263,13 +272,14 @@ ip_init() printf("%s: WARNING: unable to register pfil hook, " "error %d\n", __func__, i); + /* Initialize IP reassembly queue. */ IPQ_LOCK_INIT(); for (i = 0; i < IPREASS_NHASH; i++) TAILQ_INIT(&ipq[i]); - maxnipq = nmbclusters / 32; maxfragsperpacket = 16; + /* Initialize various other remaining things. */ ip_id = time_second & 0xffff; ipintrq.ifq_maxlen = ipqmaxlen; mtx_init(&ipintrq.ifq_mtx, "ip_inq", NULL, MTX_DEF); |