From: Yuriy M. Kaminskiy <yumkam@gmail.com>
Date: Wed, 30 Mar 2016 13:47:57 +0000 (+1300)
Subject: pinger: Fix buffer overflow in Icmp6::Recv
X-Git-Tag: SQUID_3_5_16~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80af3090e46d44723e9181cb4f47e341dafa0c57;p=thirdparty%2Fsquid.git

pinger: Fix buffer overflow in Icmp6::Recv
---

diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
index f9b374f6c3..654838bee9 100644
--- a/src/icmp/Icmp6.cc
+++ b/src/icmp/Icmp6.cc
@@ -256,7 +256,7 @@ Icmp6::Recv(void)
     #define ip6_hops    // HOPS!!!  (can it be true??)
 
         ip = (struct ip6_hdr *) pkt;
-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
 
     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
             ", ip6_plen=" << ip->ip6_plen <<
@@ -267,7 +267,6 @@ Icmp6::Recv(void)
     */
 
     icmp6header = (struct icmp6_hdr *) pkt;
-    pkt += sizeof(icmp6_hdr);
 
     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
 
@@ -292,7 +291,7 @@ Icmp6::Recv(void)
         return;
     }
 
-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
 
     preply.opcode = echo->opcode;