Commit 0ed72537 authored by Alexander V. Chernikov's avatar Alexander V. Chernikov
Browse files

netinet6: perform out-of-bounds check for loX multicast statistics

Currently, some per-mbuf multicast statistics is stored in
 the per-interface ip6stat.ip6s_m2m[] array of size 32 (IP6S_M2MMAX).
Check that loopback ifindex falls within 0.. IP6S_M2MMAX-1 range to
 avoid silent data corruption. The latter cat happen with large
 number of VNETs.

Reviewed by:	glebius
Differential Revision: https://reviews.freebsd.org/D35715
MFC after:	2 weeks
parent d458eb8d
...@@ -588,12 +588,11 @@ ip6_input(struct mbuf *m) ...@@ -588,12 +588,11 @@ ip6_input(struct mbuf *m)
IP6STAT_INC(ip6s_mext1); IP6STAT_INC(ip6s_mext1);
} else { } else {
if (m->m_next) { if (m->m_next) {
if (m->m_flags & M_LOOP) { struct ifnet *ifp = (m->m_flags & M_LOOP) ? V_loif : rcvif;
IP6STAT_INC(ip6s_m2m[V_loif->if_index]); int ifindex = ifp->if_index;
} else if (rcvif->if_index < IP6S_M2MMAX) if (ifindex >= IP6S_M2MMAX)
IP6STAT_INC(ip6s_m2m[rcvif->if_index]); ifindex = 0;
else IP6STAT_INC(ip6s_m2m[ifindex]);
IP6STAT_INC(ip6s_m2m[0]);
} else } else
IP6STAT_INC(ip6s_m1); IP6STAT_INC(ip6s_m1);
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment