Bug 252504 - IGMP_V3 packet with malformed number of sources is discarded but mbuf not freed
Summary: IGMP_V3 packet with malformed number of sources is discarded but mbuf not freed
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Johnston
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-08 08:30 UTC by Panagiotis Tsolakos
Modified: 2021-01-11 14:55 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Panagiotis Tsolakos 2021-01-08 08:30:10 UTC
In igmp.c, in function igmp_input(), the correctness of the incoming igmp packet is checked. If the packet is discarded because of wrong number of sources the mbuf is not freed.

/*
 * Validate length based on source count.
 */
nsrc = ntohs(igmpv3->igmp_numsrc);
if (nsrc * sizeof(in_addr_t) >
    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
	IGMPSTAT_INC(igps_rcv_tooshort);
	return (IPPROTO_DONE);
}


The mbuf should be freed before the function returns:

/*
 * Validate length based on source count.
 */
nsrc = ntohs(igmpv3->igmp_numsrc);
if (nsrc * sizeof(in_addr_t) >
    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
	IGMPSTAT_INC(igps_rcv_tooshort);
+       m_freem(m);
	return (IPPROTO_DONE);
}
Comment 1 commit-hook freebsd_committer 2021-01-08 18:32:42 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=501159696cb5204d94d03393e4bc5d82f2e348e6

commit 501159696cb5204d94d03393e4bc5d82f2e348e6
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-01-08 18:32:04 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-01-08 18:32:04 +0000

    igmp: Avoid leaking mbuf when source validation fails

    PR:             252504
    Submitted by:   Panagiotis Tsolakos <panagiotis.tsolakos@gmail.com>
    MFC after:      3 days

 sys/netinet/igmp.c | 1 +
 1 file changed, 1 insertion(+)
Comment 2 commit-hook freebsd_committer 2021-01-11 14:54:41 UTC
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=44851ff2f65de3bdf3b3fa469a7bb5546e77e170

commit 44851ff2f65de3bdf3b3fa469a7bb5546e77e170
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-01-08 18:32:04 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-01-11 14:41:55 +0000

    igmp: Avoid leaking mbuf when source validation fails

    PR:             252504
    Submitted by:   Panagiotis Tsolakos <panagiotis.tsolakos@gmail.com>

    (cherry picked from commit 501159696cb5204d94d03393e4bc5d82f2e348e6)

 sys/netinet/igmp.c | 1 +
 1 file changed, 1 insertion(+)
Comment 3 Mark Johnston freebsd_committer 2021-01-11 14:55:41 UTC
Thanks for the patch.