git: 9515f04fe3b1 - stable/13 - frag6: Avoid a possible integer overflow in fragment handling

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 01 Aug 2023 20:03:55 UTC
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=9515f04fe3b12b9e6ef6c802b647dd4cbdba621b

commit 9515f04fe3b12b9e6ef6c802b647dd4cbdba621b
Author:     Jonathan T. Looney <jtl@FreeBSD.org>
AuthorDate: 2023-08-01 14:58:34 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-08-01 19:49:07 +0000

    frag6: Avoid a possible integer overflow in fragment handling
    
    Reviewed by:    kp, markj, bz
    Approved by:    so
    Security:       FreeBSD-SA-23:06.ipv6
    Security:       CVE-2023-3107
    
    (cherry picked from commit ff3d1a3f9d71e706f320f51bae258e4e1a51b388)
---
 sys/netinet6/frag6.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c
index e0857d3af3e8..023470b20033 100644
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@@ -806,6 +806,11 @@ postinsert:
 	/* Adjust offset to point where the original next header starts. */
 	offset = ip6af->ip6af_offset - sizeof(struct ip6_frag);
 	free(ip6af, M_FRAG6);
+	if ((u_int)plen + (u_int)offset - sizeof(struct ip6_hdr) >
+	    IPV6_MAXPACKET) {
+		frag6_freef(q6, bucket);
+		goto dropfrag;
+	}
 	ip6 = mtod(m, struct ip6_hdr *);
 	ip6->ip6_plen = htons((u_short)plen + offset - sizeof(struct ip6_hdr));
 	if (q6->ip6q_ecn == IPTOS_ECN_CE)