blob: 045461ebd2b0d06e50779c96badd41f62858ebf0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
------------------------------------------------------------
revno: 13232
revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
author: Yuriy M. Kaminskiy <yumkam@gmail.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Thu 2016-03-31 03:14:10 +1300
message:
pinger: Fix buffer overflow in Icmp6::Recv
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
# timestamp: 2016-03-30 14:51:02 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20160220150859-\
# 3unryicod1rcx9rm
#
# Begin patch
=== modified file 'src/icmp/Icmp6.cc'
--- a/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000
+++ b/src/icmp/Icmp6.cc 2016-03-30 14:14:10 +0000
@@ -277,7 +277,7 @@
#define ip6_hops // HOPS!!! (can it be true??)
ip = (struct ip6_hdr *) pkt;
- pkt += sizeof(ip6_hdr);
+ NP: echo size needs to +sizeof(ip6_hdr);
debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
", ip6_plen=" << ip->ip6_plen <<
@@ -288,7 +288,6 @@
*/
icmp6header = (struct icmp6_hdr *) pkt;
- pkt += sizeof(icmp6_hdr);
if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
@@ -313,7 +312,7 @@
return;
}
- echo = (icmpEchoData *) pkt;
+ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
preply.opcode = echo->opcode;
|
