From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 13 Apr 2014 14:07:38 +0000 (+0100)
Subject: slip: Drop packets >mtu (SECURITY)
X-Git-Tag: debian/0.3.1_beta1~16
X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/commitdiff_plain/32240a83d9c8fe11d59b3b97a83e72991b6bfc17

slip: Drop packets >mtu (SECURITY)

Trying to send them to the kernel crashes userv-ipif.
This is a DoS vulnerability, exposed to internal sites only.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---

diff --git a/debian/changelog b/debian/changelog
index e3e5798..613963e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,7 +6,7 @@ secnet (0.3.1~~unstable) unstable; urgency=low
   * Fix netlink SEGV on clientless netlinks (i.e. configuration error).
   * Fix formatting error in p-t-p startup message.
   * Additions to the test-example suite.
-  * Fixes to MTU and fragmentation handling.
+  * SECURITY: Fixes to MTU and fragmentation handling.
 
  --
 
diff --git a/slip.c b/slip.c
index 9e63cb3..aed2551 100644
--- a/slip.c
+++ b/slip.c
@@ -213,6 +213,14 @@ static void userv_deliver_to_kernel(void *sst, struct buffer_if *buf)
 {
     struct userv *st=sst;
 
+    if (buf->size > st->slip.nl.mtu) {
+	Message(M_ERR,"%s: packet of size %"PRIu32" exceeds mtu %"PRIu32":"
+		" cannot be injected into kernel, dropped\n",
+		st->slip.nl.name, buf->size, st->slip.nl.mtu);
+	BUF_FREE(buf);
+	return;
+    }
+
     slip_stuff(&st->slip,buf,st->txfd);
 }