ping6 extension headers bounds checking
Max Laier
max at love2party.net
Mon Apr 16 20:26:11 UTC 2007
On Monday 16 April 2007 12:16, Mike Makonnen wrote:
> Hello folks,
>
> Please review the attached patch for ping6(8) to fix PR kern/99425
>
> You can attach extra headers to the ping6 packet by specifying, for
> example, extra routing information. This information is sent as
> control data with sendmsg(2) and when you get a reply is received
> as control data from recvmsg(2).
>
> In a nutshell, there are 2 problems:
> 1. The buffer supplied to recvmsg(2) to hold control (ancillary)
> data is, in some cases, too small to hold all the extra headers.
> 2. In verbose mode, when printing out the control data, it doesn't
> check to make sure that the stated length of the headers is
> within the bounds of the buffer.
>
> To address this I increased the buffer supplied to recvmsg(2) to the
> minimum required by rfc 3542 (10420 bytes) and I modified the
> functions that print the extra header information to print a
> warning if the buffer is too small and to print only as much
> information as contained in the buffer.
I think it'd be better to supply the print functions with the rest of the
bufferlen instead of an offset. This way only the caller has to know the
size of the buffer - btw, do we get a result back i.e. how much buffer
was used. In addition you could check if the offset in the for-loop of
the caller is within bounds, before even attempting to call further.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20070416/9cb636bc/attachment.pgp
More information about the freebsd-net
mailing list