MFC r340260: Avoid buffer underwrite in icmp_error
icmp_error allocates either an mbuf (with pkthdr) or a cluster depending
on the size of data to be quoted in the ICMP reply, but the calculation
failed to account for the additional padding that m_align may apply.
Include the ip header in the size passed to m_align. On 64-bit archs
this will have the net effect of moving everything 4 bytes later in the
mbuf or cluster. This will result in slightly pessimal alignment for
the ICMP data copy.
Also add an assertion that we do not move m_data before the beginning of
the mbuf or cluster.
Reported by: A reddit user
Security: CVE-2018-17156
Sponsored by: The FreeBSD Foundation
git-svn-id: svn://svn.freebsd.org/base/stable/10@341258
ccf9f872-aa2e-dd11-9fc8-
001c23d0bc1f
projects / FreeBSD / stable / 10.git / commit