Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!usc!howland.reston.ans.net!torn!nott!bnrgate!bnr.co.uk!uknet!mcsun!fuug!kiae!bitcom!nik!news-server
From: apg@apg.kiae.su (Paul Antonov)
Subject: Patch for hole in SOCK_RAW code
Return-Receipt-To: rcpt@apg.kiae.su
Date: Wed, 19 May 93 16:14:01 +0300
Lines: 35
Reply-To: apg@apg.kiae.su
Organization: unknown
Sender: news-server@nik.nalchik.su
Message-ID: <AHPAZ-hu90@apg.kiae.su>
This small bug appeared when I tried to do
myhost% traceroute anyhost 2000
Try it, and your system will crash instantly.
Here's my quick fix (added checking for packet sizes in raw IP header
and actual mbuf data length):
*** raw_ip.c.orig Wed May 19 05:25:40 1993
--- raw_ip.c Wed May 19 05:28:48 1993
***************
*** 103,111 ****
* If the user handed us a complete IP packet, use it.
* Otherwise, allocate an mbuf for a header and fill it in.
*/
! if (rp->rinp_flags & RINPF_HDRINCL)
ip = mtod(m, struct ip *);
! else {
M_PREPEND(m, sizeof(struct ip), M_WAIT);
ip = mtod(m, struct ip *);
ip->ip_tos = 0;
--- 103,114 ----
* If the user handed us a complete IP packet, use it.
* Otherwise, allocate an mbuf for a header and fill it in.
*/
! if (rp->rinp_flags & RINPF_HDRINCL) {
ip = mtod(m, struct ip *);
! if (ip->ip_len > m->m_pkthdr.len)
! return EMSGSIZE;
! ip->ip_len = m->m_pkthdr.len;
! } else {
M_PREPEND(m, sizeof(struct ip), M_WAIT);
ip = mtod(m, struct ip *);
ip->ip_tos = 0;