diff options
| author | delphij <delphij@FreeBSD.org> | 2015-04-07 20:20:24 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2015-04-07 20:20:24 +0000 |
| commit | e5ee1c2b414851b17663cb491e2f2317a0af9bda (patch) | |
| tree | 0fb07d612e2cdc3639727807b31799e6a7842bd4 /sys | |
| parent | 788993fc41f2549c7ca282a9e1bc3ca4dd88596e (diff) | |
| download | FreeBSD-src-e5ee1c2b414851b17663cb491e2f2317a0af9bda.zip FreeBSD-src-e5ee1c2b414851b17663cb491e2f2317a0af9bda.tar.gz | |
Improve patch for SA-15:04.igmp to solve a potential buffer overflow.
Fix multiple vulnerabilities of ntp. [SA-15:07]
Fix bsdinstall(8) insecure default GELI keyfile permissions. [SA-15:08]
Fix Denial of Service with IPv6 Router Advertisements. [SA-15:09]
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/igmp.c | 7 | ||||
| -rw-r--r-- | sys/netinet6/nd6_rtr.c | 12 |
2 files changed, 13 insertions, 6 deletions
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index 908f304..c138f14 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -1534,7 +1534,6 @@ igmp_input(struct mbuf *m, int off) struct igmpv3 *igmpv3; uint16_t igmpv3len; uint16_t nsrc; - int srclen; IGMPSTAT_INC(igps_rcv_v3_queries); igmpv3 = (struct igmpv3 *)igmp; @@ -1542,8 +1541,8 @@ igmp_input(struct mbuf *m, int off) * Validate length based on source count. */ nsrc = ntohs(igmpv3->igmp_numsrc); - srclen = sizeof(struct in_addr) * nsrc; - if (nsrc * sizeof(in_addr_t) > srclen) { + if (nsrc * sizeof(in_addr_t) > + UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) { IGMPSTAT_INC(igps_rcv_tooshort); return; } @@ -1552,7 +1551,7 @@ igmp_input(struct mbuf *m, int off) * this scope. */ igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN + - srclen; + sizeof(struct in_addr) * nsrc; if ((m->m_flags & M_EXT || m->m_len < igmpv3len) && (m = m_pullup(m, igmpv3len)) == NULL) { diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c index 0c8b587..8588a6b 100644 --- a/sys/netinet6/nd6_rtr.c +++ b/sys/netinet6/nd6_rtr.c @@ -296,8 +296,16 @@ nd6_ra_input(struct mbuf *m, int off, int icmp6len) } if (nd_ra->nd_ra_retransmit) ndi->retrans = ntohl(nd_ra->nd_ra_retransmit); - if (nd_ra->nd_ra_curhoplimit) - ndi->chlim = nd_ra->nd_ra_curhoplimit; + if (nd_ra->nd_ra_curhoplimit) { + if (ndi->chlim < nd_ra->nd_ra_curhoplimit) + ndi->chlim = nd_ra->nd_ra_curhoplimit; + else if (ndi->chlim != nd_ra->nd_ra_curhoplimit) { + log(LOG_ERR, "RA with a lower CurHopLimit sent from " + "%s on %s (current = %d, received = %d). " + "Ignored.\n", ip6_sprintf(ip6bufs, &ip6->ip6_src), + if_name(ifp), ndi->chlim, nd_ra->nd_ra_curhoplimit); + } + } dr = defrtrlist_update(&dr0); } |
