CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	emaste <emaste@FreeBSD.org>
	Thu, 8 Nov 2018 20:17:36 +0000 (20:17 +0000)
committer	emaste <emaste@FreeBSD.org>
	Thu, 8 Nov 2018 20:17:36 +0000 (20:17 +0000)
commit	a9fb9d9a3082845e55798950d85fe93a61a8630a
tree	5b4985a89da51e7fa004d85d58178de478727e89	tree \| snapshot
parent	490f74685f41d8411e5b1440c9e7b0f0975a698a	commit \| diff

Avoid buffer underwrite in icmp_error

icmp_error allocates either an mbuf (with pkthdr) or a cluster depending
on the size of data to be quoted in the ICMP reply, but the calculation
failed to account for the additional padding that m_align may apply.

Include the ip header in the size passed to m_align. On 64-bit archs
this will have the net effect of moving everything 4 bytes later in the
mbuf or cluster. This will result in slightly pessimal alignment for
the ICMP data copy.

Also add an assertion that we do not move m_data before the beginning of
the mbuf or cluster.

Reported by: A reddit user
Reviewed by: bz, jtl
MFC after: 3 days
Security: CVE-2018-17156
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17909