frag6: Avoid a possible integer overflow in fragment handling
Reviewed by: kp, markj, bz Approved by: so Security: FreeBSD-SA-23:06.ipv6 Security: CVE-2023-3107
This commit is contained in:
committed by
Mark Johnston
parent
bed3ae1d78
commit
ff3d1a3f9d
@@ -861,6 +861,11 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
|
||||
/* Adjust offset to point where the original next header starts. */
|
||||
offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
|
||||
free(ip6af, M_FRAG6);
|
||||
if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) >
|
||||
IPV6_MAXPACKET) {
|
||||
frag6_freef(q6, bucket);
|
||||
goto dropfrag;
|
||||
}
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr));
|
||||
if (q6->ip6q_ecn == IPTOS_ECN_CE)
|
||||
|
||||
Reference in New Issue
Block a user