| Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001 |
| 2 | From: Catalin Enache <catalin.enache@windriver.com> |
| 3 | Date: Wed, 20 Apr 2016 15:17:18 +0300 |
| 4 | Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | CVE: CVE-2016-3947 |
| 8 | |
| 9 | Author: Yuriy M. Kaminskiy <yumkam@gmail.com> |
| 10 | Committer: Amos Jeffries <squid3@treenet.co.nz |
| 11 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| 12 | --- |
| 13 | src/icmp/Icmp6.cc | 5 ++--- |
| 14 | 1 file changed, 2 insertions(+), 3 deletions(-) |
| 15 | |
| 16 | diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc |
| 17 | index 794a51a..ee84b80 100644 |
| 18 | --- a/src/icmp/Icmp6.cc |
| 19 | +++ b/src/icmp/Icmp6.cc |
| 20 | @@ -256,7 +256,7 @@ Icmp6::Recv(void) |
| 21 | #define ip6_hops // HOPS!!! (can it be true??) |
| 22 | |
| 23 | ip = (struct ip6_hdr *) pkt; |
| 24 | - pkt += sizeof(ip6_hdr); |
| 25 | + NP: echo size needs to +sizeof(ip6_hdr); |
| 26 | |
| 27 | debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << |
| 28 | ", ip6_plen=" << ip->ip6_plen << |
| 29 | @@ -267,7 +267,6 @@ Icmp6::Recv(void) |
| 30 | */ |
| 31 | |
| 32 | icmp6header = (struct icmp6_hdr *) pkt; |
| 33 | - pkt += sizeof(icmp6_hdr); |
| 34 | |
| 35 | if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { |
| 36 | |
| 37 | @@ -292,7 +291,7 @@ Icmp6::Recv(void) |
| 38 | return; |
| 39 | } |
| 40 | |
| 41 | - echo = (icmpEchoData *) pkt; |
| 42 | + echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); |
| 43 | |
| 44 | preply.opcode = echo->opcode; |
| 45 | |
| 46 | -- |
| 47 | 2.7.4 |
| 48 | |