| From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001 |
| From: Catalin Enache <catalin.enache@windriver.com> |
| Date: Wed, 20 Apr 2016 15:17:18 +0300 |
| Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-3947 |
| |
| Author: Yuriy M. Kaminskiy <yumkam@gmail.com> |
| Committer: Amos Jeffries <squid3@treenet.co.nz |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| src/icmp/Icmp6.cc | 5 ++--- |
| 1 file changed, 2 insertions(+), 3 deletions(-) |
| |
| diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc |
| index 794a51a..ee84b80 100644 |
| --- a/src/icmp/Icmp6.cc |
| +++ b/src/icmp/Icmp6.cc |
| @@ -256,7 +256,7 @@ Icmp6::Recv(void) |
| #define ip6_hops // HOPS!!! (can it be true??) |
| |
| ip = (struct ip6_hdr *) pkt; |
| - pkt += sizeof(ip6_hdr); |
| + NP: echo size needs to +sizeof(ip6_hdr); |
| |
| debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << |
| ", ip6_plen=" << ip->ip6_plen << |
| @@ -267,7 +267,6 @@ Icmp6::Recv(void) |
| */ |
| |
| icmp6header = (struct icmp6_hdr *) pkt; |
| - pkt += sizeof(icmp6_hdr); |
| |
| if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { |
| |
| @@ -292,7 +291,7 @@ Icmp6::Recv(void) |
| return; |
| } |
| |
| - echo = (icmpEchoData *) pkt; |
| + echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); |
| |
| preply.opcode = echo->opcode; |
| |
| -- |
| 2.7.4 |
| |