ping6 extension headers bounds checking
Mike Makonnen
mtm at FreeBSD.Org
Mon Apr 16 18:39:03 UTC 2007
Hello folks,
Please review the attached patch for ping6(8) to fix PR kern/99425
You can attach extra headers to the ping6 packet by specifying, for
example, extra routing information. This information is sent as
control data with sendmsg(2) and when you get a reply is received
as control data from recvmsg(2).
In a nutshell, there are 2 problems:
1. The buffer supplied to recvmsg(2) to hold control (ancillary)
data is, in some cases, too small to hold all the extra headers.
2. In verbose mode, when printing out the control data, it doesn't
check to make sure that the stated length of the headers is
within the bounds of the buffer.
To address this I increased the buffer supplied to recvmsg(2) to the
minimum required by rfc 3542 (10420 bytes) and I modified the
functions that print the extra header information to print a
warning if the buffer is too small and to print only as much information
as contained in the buffer.
Cheers.
--
Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc
mmakonnen @ gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55
mtm @ FreeBSD.Org | FreeBSD - http://www.freebsd.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping6.diff
Type: text/x-diff
Size: 6384 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070416/a2db8e59/ping6.bin
More information about the freebsd-net
mailing list