frag6: Avoid a possible integer overflow in fragment handling

Reviewed by:	kp, markj, bz
Approved by:	so
Security:	FreeBSD-SA-23:06.ipv6
Security:	CVE-2023-3107
This commit is contained in:
Jonathan T. Looney
2023-08-01 10:58:34 -04:00
committed by Mark Johnston
parent bed3ae1d78
commit ff3d1a3f9d
+5
View File
@@ -861,6 +861,11 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
/* Adjust offset to point where the original next header starts. */
offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
free(ip6af, M_FRAG6);
if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) >
IPV6_MAXPACKET) {
frag6_freef(q6, bucket);
goto dropfrag;
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr));
if (q6->ip6q_ecn == IPTOS_ECN_CE)