diff options
| author | Jonathan T. Looney <jtl@FreeBSD.org> | 2023-08-01 14:58:34 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2023-08-01 19:45:41 +0000 |
| commit | ff3d1a3f9d71e706f320f51bae258e4e1a51b388 (patch) | |
| tree | e1a654977e9437a322f5f02c5fde133dd18fe5ea | |
| parent | bed3ae1d7863ac1e0b1e82ae7bf952937e921efe (diff) | |
| download | src-ff3d1a3f9d71e706f320f51bae258e4e1a51b388.tar.gz src-ff3d1a3f9d71e706f320f51bae258e4e1a51b388.zip | |
frag6: Avoid a possible integer overflow in fragment handling
Reviewed by: kp, markj, bz
Approved by: so
Security: FreeBSD-SA-23:06.ipv6
Security: CVE-2023-3107
| -rw-r--r-- | sys/netinet6/frag6.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index 5acdc1b20981..9837c6662888 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -861,6 +861,11 @@ postinsert: /* Adjust offset to point where the original next header starts. */ offset = ip6af->ip6af_offset - sizeof(struct ip6_frag); free(ip6af, M_FRAG6); + if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) > + IPV6_MAXPACKET) { + frag6_freef(q6, bucket); + goto dropfrag; + } ip6 = mtod(m, struct ip6_hdr *); ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr)); if (q6->ip6q_ecn == IPTOS_ECN_CE) |