From: Yuriy M. Kaminskiy <yumkam@gmail.com>
Date: Wed, 30 Mar 2016 14:14:10 +0000 (+1300)
Subject: pinger: Fix buffer overflow in Icmp6::Recv
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1713ca851871313449dc63060704e064ed31e961;p=thirdparty%2Fsquid.git

pinger: Fix buffer overflow in Icmp6::Recv
---

diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index a99830b4a2..807de4e216 100644
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -277,7 +277,7 @@ Icmp6::Recv(void)
     #define ip6_hops	// HOPS!!!  (can it be true??)
 
         ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
 
     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
     		", ip6_plen=" << ip->ip6_plen <<
@@ -288,7 +288,6 @@ Icmp6::Recv(void)
     */
 
     icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
 
     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
 
@@ -313,7 +312,7 @@ Icmp6::Recv(void)
         return;
     }
 
-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
 
     preply.opcode = echo->opcode;