aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2018-09-27 18:29:55 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2018-09-27 18:29:55 +0000
commit4bf9f5d0aaeb5f196e4b859a64aa88a3f93bac30 (patch)
tree7f5d385efe78042ac967c0bf1acb617583b5d3f7
parentcf9763771d54a69970ce309ff6b658dc094e25be (diff)
downloadsrc-4bf9f5d0aaeb5f196e4b859a64aa88a3f93bac30.tar.gz
src-4bf9f5d0aaeb5f196e4b859a64aa88a3f93bac30.zip
Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
Approved by: so Security: FreeBSD-EN-18:09.ip
Notes
Notes: svn path=/releng/11.1/; revision=338978
-rw-r--r--UPDATING13
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/netinet6/frag6.c4
3 files changed, 17 insertions, 2 deletions
diff --git a/UPDATING b/UPDATING
index 0d19f12156cb..fb8b2a994258 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITHOUT_CLANG and WITH_GCC to bootstrap to
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20180927 p15 FreeBSD-EN-18:09.ip
+ FreeBSD-EN-18:10.syscall
+ FreeBSD-EN-18:11.listen
+ FreeBSD-EN-18:12.mem
+
+ Fix regression in IPv6 fragment reassembly. [EN-18:09.ip]
+
+ Fix NULL pointer dereference in freebsd4_getfsstat. [EN-18:10.syscall]
+
+ Fix DoS in listen syscall over IPv6 socket. [EN-18:11.listen]
+
+ Fix small kernel memory disclosures. [EN-18:12.mem]
+
20180912 p14 FreeBSD-SA-18:12.elf
FreeBSD-EN-18:08.lazyfpu
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index adfbb08214dd..e6e4ae04ac20 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -44,7 +44,7 @@
TYPE="FreeBSD"
REVISION="11.1"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c
index 1e9192d149c5..f157f39476bf 100644
--- a/sys/netinet6/frag6.c
+++ b/sys/netinet6/frag6.c
@@ -216,7 +216,9 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
int offset = *offp, nxt, i, next;
int first_frag = 0;
int fragoff, frgpartlen; /* must be larger than u_int16_t */
- uint32_t hash, hashkey[sizeof(struct in6_addr) * 2 + 1], *hashkeyp;
+ uint32_t hashkey[(sizeof(struct in6_addr) * 2 +
+ sizeof(ip6f->ip6f_ident)) / sizeof(uint32_t)];
+ uint32_t hash, *hashkeyp;
struct ifnet *dstifp;
u_int8_t ecn, ecn0;
#ifdef RSS