svn commit: r351259 - in releng: 11.2/sys/kern 11.3/sys/kern 12.0/sys/kern

Gordon Tetlow gordon at FreeBSD.org
Tue Aug 20 17:49:34 UTC 2019 

Author: gordon
Date: Tue Aug 20 17:49:33 2019
New Revision: 351259
URL: https://svnweb.freebsd.org/changeset/base/351259

Log:
  Fix IPv6 remote denial of service.
  
  Approved by:	so
  Security:	FreeBSD-SA-19:22.mbuf
  Security:	CVE-2019-5611

Modified:
  releng/11.2/sys/kern/uipc_mbuf2.c
  releng/11.3/sys/kern/uipc_mbuf2.c
  releng/12.0/sys/kern/uipc_mbuf2.c

Modified: releng/11.2/sys/kern/uipc_mbuf2.c
==============================================================================
--- releng/11.2/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:46:40 2019	(r351258)
+++ releng/11.2/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:49:33 2019	(r351259)
@@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp
 		goto ok;
 	}
 	if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen
-	 && writable) {
+	 && writable && n->m_next->m_len >= tlen) {
 		n->m_next->m_data -= hlen;
 		n->m_next->m_len += hlen;
 		bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);

Modified: releng/11.3/sys/kern/uipc_mbuf2.c
==============================================================================
--- releng/11.3/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:46:40 2019	(r351258)
+++ releng/11.3/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:49:33 2019	(r351259)
@@ -214,7 +214,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp
 		goto ok;
 	}
 	if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen
-	 && writable) {
+	 && writable && n->m_next->m_len >= tlen) {
 		n->m_next->m_data -= hlen;
 		n->m_next->m_len += hlen;
 		bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);

Modified: releng/12.0/sys/kern/uipc_mbuf2.c
==============================================================================
--- releng/12.0/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:46:40 2019	(r351258)
+++ releng/12.0/sys/kern/uipc_mbuf2.c	Tue Aug 20 17:49:33 2019	(r351259)
@@ -216,7 +216,7 @@ m_pulldown(struct mbuf *m, int off, int len, int *offp
 		goto ok;
 	}
 	if ((off == 0 || offp) && M_LEADINGSPACE(n->m_next) >= hlen
-	 && writable) {
+	 && writable && n->m_next->m_len >= tlen) {
 		n->m_next->m_data -= hlen;
 		n->m_next->m_len += hlen;
 		bcopy(mtod(n, caddr_t) + off, mtod(n->m_next, caddr_t), hlen);

More information about the svn-src-all mailing list