mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-15 06:10:02 +00:00
Code Issues Projects Releases Wiki Activity
Files
krogoth
meta-openembedded/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
T
Catalin Enache a1b71fe147 squid: CVE-2016-3947 
Heap-based buffer overflow in the Icmp6::Recv function in
icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x
before 4.0.8 allows remote servers to cause a denial of
service (performance degradation or transition failures)
or write sensitive information to log files via an ICMPv6
packet.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3947

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2016-05-09 19:05:02 -07:00

49 lines
1.3 KiB
Diff
Raw Permalink Blame History

From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
From: Catalin Enache <catalin.enache@windriver.com>
Date: Wed, 20 Apr 2016 15:17:18 +0300
Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv
Upstream-Status: Backport
CVE: CVE-2016-3947
Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
Committer: Amos Jeffries <squid3@treenet.co.nz
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
src/icmp/Icmp6.cc | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index 794a51a..ee84b80 100644
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -256,7 +256,7 @@ Icmp6::Recv(void)
#define ip6_hops // HOPS!!! (can it be true??)
ip = (struct ip6_hdr *) pkt;
- pkt += sizeof(ip6_hdr);
+ NP: echo size needs to +sizeof(ip6_hdr);
debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
", ip6_plen=" << ip->ip6_plen <<
@@ -267,7 +267,6 @@ Icmp6::Recv(void)
*/
icmp6header = (struct icmp6_hdr *) pkt;
- pkt += sizeof(icmp6_hdr);
if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
@@ -292,7 +291,7 @@ Icmp6::Recv(void)
return;
}
- echo = (icmpEchoData *) pkt;
+ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
preply.opcode = echo->opcode;
--
2.7.4
Reference in New Issue View Git Blame Copy Permalink