Searched hist:293906 (Results 1 - 1 of 1) sorted by relevance
| /freebsd-11-stable/sys/netinet6/ | ||
| H A D | sctp6_usrreq.c | diff 293906 Thu Jan 14 08:22:59 MST 2016 glebius Verify the packet length in sctp6_input(). The sctp6_ctlinput() function does not properly check the length of the packet it receives from the ICMP6 input routine. This means that an attacker can craft a packet that will cause a kernel panic. When the kernel receives an ICMP6 error message with one of the types/codes it handles, it calls icmp6_notify_error() to deliver it to the upper-level protocol. icmp6_notify_error() cycles through the extension headers (if any) to find the protocol number of the first non-extension header. It does NOT verify the length of the non-extension header. It passes information about the packet (including the actual packet) to the upper-level protocol's pr_ctlinput function. In the case of SCTP for IPv6, icmp6_notify_error() calls sctp6_ctlinput(). sctp6_ctlinput() assumes that the incoming packet contains a sufficiently-long SCTP header and calls m_copydata() to extract a copy of that header. In turn, m_copydata() assumes that the caller has already verified that the offset and length parameters are correct. If they are incorrect, it will dereference a NULL pointer and cause a kernel panic. In short, no one is sufficiently verifying the input, and the result is a kernel panic. Submitted by: jtl Security: SA-16:01.sctp |
Completed in 191 milliseconds