pinger: Fix buffer overflow in Icmp6::Recv

author Yuriy M. Kaminskiy <yumkam@gmail.com>

Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)

committer Amos Jeffries <squid3@treenet.co.nz>

Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)
author Yuriy M. Kaminskiy <yumkam@gmail.com>
Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)
committer Amos Jeffries <squid3@treenet.co.nz>
Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)
diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc

index a99830b4a22a529883d14e741d7751c1bba36d9f..807de4e216b303a5d740de42387091d24cb4fdc6 100644 (file)
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -277,7 +277,7 @@ Icmp6::Recv(void)
      #define ip6_hops   // HOPS!!!  (can it be true??)
  
          ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
  
      debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
                 ", ip6_plen=" << ip->ip6_plen <<
@@ -288,7 +288,6 @@ Icmp6::Recv(void)
      */
  
      icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
  
      if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
  
@@ -313,7 +312,7 @@ Icmp6::Recv(void)
          return;
      }
  
-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
  
      preply.opcode = echo->opcode;
author	Yuriy M. Kaminskiy <yumkam@gmail.com>
	Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Wed, 30 Mar 2016 14:14:10 +0000 (03:14 +1300)