From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 13 Apr 2014 23:45:35 +0000 (+0100)
Subject: netlink: fix IP length check (SECURITY)
X-Git-Tag: debian/0.3.1_beta1~4
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=commitdiff_plain;h=e8b1adac7d68956d297e8299576c158da2e4105a

netlink: fix IP length check (SECURITY)

This would erroneously abort on some very short packets.

This is a DoS vulnerability, exposed to internal sites only.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/debian/changelog b/debian/changelog
index fe6caae..46645f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
   * SECURITY: Fixes to MTU and fragmentation handling.
   * SECURITY: Correctly set "unused" ICMP header field.
   * Do not send ICMP errors in response to unknown incoming ICMP.
+  * SECURITY: Fix IP length check not to crash on very short packets.
 
  --
 
diff --git a/netlink.c b/netlink.c
index 2c3d12d..787f4eb 100644
--- a/netlink.c
+++ b/netlink.c
@@ -831,7 +831,7 @@ static void netlink_incoming(struct netlink *st, struct netlink_client *client,
 	BUF_FREE(buf);
 	return;
     }
-    assert(buf->size >= (int)sizeof(struct icmphdr));
+    assert(buf->size >= (int)sizeof(struct iphdr));
     iph=(struct iphdr *)buf->start;
 
     source=ntohl(iph->saddr);