[Slirp] [Git][slirp/libslirp][master] 3 commits: Drop bogus IPv6 messages

Samuel Thibault gitlab at gitlab.freedesktop.org
Tue Jul 7 17:12:28 UTC 2020 


Samuel Thibault pushed to branch master at slirp / libslirp


Commits:
c7ede54c by Ralf Haferkamp at 2020-07-03T14:51:16+02:00
Drop bogus IPv6 messages

Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid an could
lead to data leakage in icmp6_send_echoreply().

- - - - -
f1941d6d by Ralf Haferkamp at 2020-07-03T14:56:27+02:00
Fix MTU check

The size for Header has to be accounted for as well.

- - - - -
ebf7bc3a by Samuel Thibault at 2020-07-07T17:12:25+00:00
Merge branch 'ip6_payload_len' into 'master'

Drop bogus IPv6 messages

See merge request slirp/libslirp!44
- - - - -


1 changed file:

- src/ip6_input.c


Changes:

=====================================
src/ip6_input.c
=====================================
@@ -44,11 +44,18 @@ void ip6_input(struct mbuf *m)
         goto bad;
     }
 
-    if (ntohs(ip6->ip_pl) > slirp->if_mtu) {
+    if (ntohs(ip6->ip_pl) + sizeof(struct ip6) > slirp->if_mtu) {
         icmp6_send_error(m, ICMP6_TOOBIG, 0);
         goto bad;
     }
 
+    // Check if the message size is big enough to hold what's
+    // set in the payload length header. If not this is an invalid
+    // packet
+    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+        goto bad;
+    }
+
     /* check ip_ttl for a correct ICMP reply */
     if (ip6->ip_hl == 0) {
         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);



View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/d877d74bea1b0c5680213ecd53fa630f6a8b1aba...ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347

-- 
View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/d877d74bea1b0c5680213ecd53fa630f6a8b1aba...ebf7bc3a5e9094eb6f9efbae7ef8b0f57583e347
You're receiving this email because of your account on gitlab.freedesktop.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/slirp/attachments/20200707/3c85cc0b/attachment.htm>

More information about the Slirp mailing list